| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jun 2012 16:21:00 +0200 From: security@...driva.com To: full-disclosure@...ts.grok.org.uk Subject: [ MDVSA-2012:092 ] postgresql -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:092 http://www.mandriva.com/security/ _______________________________________________________________________ Package : postgresql Date : June 15, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in postgresql: Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer). If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated (CVE-2012-2143). Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane). Applying such attributes to a call handler could crash the server (CVE-2012-2655). This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2655 http://www.postgresql.org/docs/8.3/static/release-8-3-19.html http://www.postgresql.org/docs/8.4/static/release-8-4-12.html http://www.postgresql.org/docs/9.0/static/release-9-0-8.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 31e716bcf05db9b48f3550a71240c0c5 2010.1/i586/libecpg8.4_6-8.4.12-0.1mdv2010.2.i586.rpm 2b06427838d6c9da9e3a2250d46bbf77 2010.1/i586/libpq8.4_5-8.4.12-0.1mdv2010.2.i586.rpm 0d9eea713a681f0a1afe5058c8858508 2010.1/i586/postgresql8.4-8.4.12-0.1mdv2010.2.i586.rpm f469befc008741292b48f676f6e7594b 2010.1/i586/postgresql8.4-contrib-8.4.12-0.1mdv2010.2.i586.rpm cd43a60afb151f41e5532cbfdbd87a8f 2010.1/i586/postgresql8.4-devel-8.4.12-0.1mdv2010.2.i586.rpm 8242397b23fcd4dadf95aedecddc9bbd 2010.1/i586/postgresql8.4-docs-8.4.12-0.1mdv2010.2.i586.rpm 193eff696b587b39ea2d76d389b9588d 2010.1/i586/postgresql8.4-pl-8.4.12-0.1mdv2010.2.i586.rpm cfe0dfff1179eadb28367137062e3f63 2010.1/i586/postgresql8.4-plperl-8.4.12-0.1mdv2010.2.i586.rpm 2ddf2d0e3ffc6a42f5fe7b59d4cb397c 2010.1/i586/postgresql8.4-plpgsql-8.4.12-0.1mdv2010.2.i586.rpm 1692696454818be65ebd6843b2071af1 2010.1/i586/postgresql8.4-plpython-8.4.12-0.1mdv2010.2.i586.rpm 0663c2e4731f0b251eeaa945b7063867 2010.1/i586/postgresql8.4-pltcl-8.4.12-0.1mdv2010.2.i586.rpm a4e20a562ea2cfe827ed740276c26fff 2010.1/i586/postgresql8.4-server-8.4.12-0.1mdv2010.2.i586.rpm 87ec6e03f819dfd6a6d0ddd4b49faada 2010.1/SRPMS/postgresql8.4-8.4.12-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 952ffec02dacc14529546c038f1620d1 2010.1/x86_64/lib64ecpg8.4_6-8.4.12-0.1mdv2010.2.x86_64.rpm 4fabe0b7c83ce1316e05704947278165 2010.1/x86_64/lib64pq8.4_5-8.4.12-0.1mdv2010.2.x86_64.rpm 57691383c476a7ec09ecd8ea59e63ffe 2010.1/x86_64/postgresql8.4-8.4.12-0.1mdv2010.2.x86_64.rpm 95f22a8e62f990643caae129102154d1 2010.1/x86_64/postgresql8.4-contrib-8.4.12-0.1mdv2010.2.x86_64.rpm 328fd48956c65b492c6ac581a3bc5e96 2010.1/x86_64/postgresql8.4-devel-8.4.12-0.1mdv2010.2.x86_64.rpm aaff2d79751fcf79d725774abcc0775c 2010.1/x86_64/postgresql8.4-docs-8.4.12-0.1mdv2010.2.x86_64.rpm e417de571aa3411c67197ef43d4e9b99 2010.1/x86_64/postgresql8.4-pl-8.4.12-0.1mdv2010.2.x86_64.rpm f7533cef4e593926bc010f4260f7b1b1 2010.1/x86_64/postgresql8.4-plperl-8.4.12-0.1mdv2010.2.x86_64.rpm 52e34c35fc3b0edf76e557d6a3631948 2010.1/x86_64/postgresql8.4-plpgsql-8.4.12-0.1mdv2010.2.x86_64.rpm 70fe1e458b09d882ed4d30245cb28e6e 2010.1/x86_64/postgresql8.4-plpython-8.4.12-0.1mdv2010.2.x86_64.rpm 5922cc411a1a0da57f73d774455e30c3 2010.1/x86_64/postgresql8.4-pltcl-8.4.12-0.1mdv2010.2.x86_64.rpm ba669c2058fa72a3861b6631b2dd0933 2010.1/x86_64/postgresql8.4-server-8.4.12-0.1mdv2010.2.x86_64.rpm 87ec6e03f819dfd6a6d0ddd4b49faada 2010.1/SRPMS/postgresql8.4-8.4.12-0.1mdv2010.2.src.rpm Mandriva Linux 2011: bfc282293884669f2f9a70a496b8fdbf 2011/i586/libecpg9.0_6-9.0.8-0.1-mdv2011.0.i586.rpm 26e6ef59c62c9e60022cb46531b43fe8 2011/i586/libpq9.0_5-9.0.8-0.1-mdv2011.0.i586.rpm 63fa0fdeffc3d6c6649298243528be32 2011/i586/postgresql9.0-9.0.8-0.1-mdv2011.0.i586.rpm 3fb6213e2b73d974d2487cc6b63ae93c 2011/i586/postgresql9.0-contrib-9.0.8-0.1-mdv2011.0.i586.rpm 8724432a78b0405a47871472d3833450 2011/i586/postgresql9.0-devel-9.0.8-0.1-mdv2011.0.i586.rpm 55ed204a26f7caa0e9923dd5fe64a343 2011/i586/postgresql9.0-docs-9.0.8-0.1-mdv2011.0.i586.rpm e2b291ed6993681fb5fdf778d0aa3001 2011/i586/postgresql9.0-pl-9.0.8-0.1-mdv2011.0.i586.rpm d854e2c7cbe287ec9752517de725a95e 2011/i586/postgresql9.0-plperl-9.0.8-0.1-mdv2011.0.i586.rpm 812ff48ff0ae3080cd4caa91c71aecaf 2011/i586/postgresql9.0-plpgsql-9.0.8-0.1-mdv2011.0.i586.rpm d6ccf9a1ea0de1d2181beb8905ecb147 2011/i586/postgresql9.0-plpython-9.0.8-0.1-mdv2011.0.i586.rpm 911db5377d27dadd70f69a40c2fdcac0 2011/i586/postgresql9.0-pltcl-9.0.8-0.1-mdv2011.0.i586.rpm edb9c92ece4940f59fbcd64483ca1e9d 2011/i586/postgresql9.0-server-9.0.8-0.1-mdv2011.0.i586.rpm 577118b95056f170481457c9b3e53c7d 2011/SRPMS/postgresql9.0-9.0.8-0.1.src.rpm Mandriva Linux 2011/X86_64: 2aef3f6f025d8b4e9747358aaf252b4e 2011/x86_64/lib64ecpg9.0_6-9.0.8-0.1-mdv2011.0.x86_64.rpm f57f9ed8f01b83b26d8c602455c1cc26 2011/x86_64/lib64pq9.0_5-9.0.8-0.1-mdv2011.0.x86_64.rpm 2c101ccdf890faa85f13b1ad04fd8262 2011/x86_64/postgresql9.0-9.0.8-0.1-mdv2011.0.x86_64.rpm 88c2f34ca727db81361c671b258e9fad 2011/x86_64/postgresql9.0-contrib-9.0.8-0.1-mdv2011.0.x86_64.rpm 0be1ff112f06f3f2163fdb117ff2a5a4 2011/x86_64/postgresql9.0-devel-9.0.8-0.1-mdv2011.0.x86_64.rpm e818dd4f45cacc4b0f864b143478acef 2011/x86_64/postgresql9.0-docs-9.0.8-0.1-mdv2011.0.x86_64.rpm 23acd229918a41efc3c628dd83cbd7e6 2011/x86_64/postgresql9.0-pl-9.0.8-0.1-mdv2011.0.x86_64.rpm c23b0d3fbe747bd1924454be72865e7f 2011/x86_64/postgresql9.0-plperl-9.0.8-0.1-mdv2011.0.x86_64.rpm 625a3d7a6801b91432ac3cb5fb8b352e 2011/x86_64/postgresql9.0-plpgsql-9.0.8-0.1-mdv2011.0.x86_64.rpm d13395955947682259ec2ffe4487ec79 2011/x86_64/postgresql9.0-plpython-9.0.8-0.1-mdv2011.0.x86_64.rpm be8318a2b1570ab6ed533c7307792e6f 2011/x86_64/postgresql9.0-pltcl-9.0.8-0.1-mdv2011.0.x86_64.rpm 7af925cf49133dffda95ac4523c2c961 2011/x86_64/postgresql9.0-server-9.0.8-0.1-mdv2011.0.x86_64.rpm 577118b95056f170481457c9b3e53c7d 2011/SRPMS/postgresql9.0-9.0.8-0.1.src.rpm Mandriva Enterprise Server 5: 7c2b370fc22fd1ebbbedd6e270661277 mes5/i586/libecpg8.3_6-8.3.19-0.1mdvmes5.2.i586.rpm e9f17b9bc34e8dd6121a1b664d0a9c16 mes5/i586/libpq8.3_5-8.3.19-0.1mdvmes5.2.i586.rpm ed02218566620f2fcfc51325751b0942 mes5/i586/postgresql8.3-8.3.19-0.1mdvmes5.2.i586.rpm 386a86f8d0e0ef2614a7a0cbce99e979 mes5/i586/postgresql8.3-contrib-8.3.19-0.1mdvmes5.2.i586.rpm 6fcce2c1c2322d1f5ee9a31ec9a6b1d2 mes5/i586/postgresql8.3-devel-8.3.19-0.1mdvmes5.2.i586.rpm 4f83f9daad2541d590ca62b8699f3095 mes5/i586/postgresql8.3-docs-8.3.19-0.1mdvmes5.2.i586.rpm 5d196e70073f0afb8ab2b670cf52eb85 mes5/i586/postgresql8.3-pl-8.3.19-0.1mdvmes5.2.i586.rpm ec6704ff7cef00a7edfad27a9b2d7a6a mes5/i586/postgresql8.3-plperl-8.3.19-0.1mdvmes5.2.i586.rpm 81bbf33a83a01d53ef68b4651307569d mes5/i586/postgresql8.3-plpgsql-8.3.19-0.1mdvmes5.2.i586.rpm fa8ee6cf056461f70307acd625515a41 mes5/i586/postgresql8.3-plpython-8.3.19-0.1mdvmes5.2.i586.rpm 0d9794e78fc46b17d383ea201649bc27 mes5/i586/postgresql8.3-pltcl-8.3.19-0.1mdvmes5.2.i586.rpm 67045bfceea8b7bf27941caafe519a6f mes5/i586/postgresql8.3-server-8.3.19-0.1mdvmes5.2.i586.rpm f3f4560c3e22be0110284cefbcf1b693 mes5/SRPMS/postgresql8.3-8.3.19-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: cdebff28e4c60391dfd2dc52f978b993 mes5/x86_64/lib64ecpg8.3_6-8.3.19-0.1mdvmes5.2.x86_64.rpm ff60d315fdc1e8a791757b2911d236fc mes5/x86_64/lib64pq8.3_5-8.3.19-0.1mdvmes5.2.x86_64.rpm bad82ecc2ad8b57f4a32eeaaa87ea187 mes5/x86_64/postgresql8.3-8.3.19-0.1mdvmes5.2.x86_64.rpm 2ec6ff1a8c5539a2944e0de48b9d2a02 mes5/x86_64/postgresql8.3-contrib-8.3.19-0.1mdvmes5.2.x86_64.rpm ff1306012e49ce28f2dcae3aae999f5a mes5/x86_64/postgresql8.3-devel-8.3.19-0.1mdvmes5.2.x86_64.rpm 4f5f5ffa2b00e51ce059ed5a702013af mes5/x86_64/postgresql8.3-docs-8.3.19-0.1mdvmes5.2.x86_64.rpm be8117ab9602c3f5f72fa1808b9dce30 mes5/x86_64/postgresql8.3-pl-8.3.19-0.1mdvmes5.2.x86_64.rpm cfb91f455841dbbecf55c5a7303aaf17 mes5/x86_64/postgresql8.3-plperl-8.3.19-0.1mdvmes5.2.x86_64.rpm a976913613397da80a91dd6219e0db2d mes5/x86_64/postgresql8.3-plpgsql-8.3.19-0.1mdvmes5.2.x86_64.rpm b0bc7cf21a30d568b829161e28eeb966 mes5/x86_64/postgresql8.3-plpython-8.3.19-0.1mdvmes5.2.x86_64.rpm 2df355defa38bcf9131f7ef339748bbf mes5/x86_64/postgresql8.3-pltcl-8.3.19-0.1mdvmes5.2.x86_64.rpm 2ccf2a380d34cb0ecebda54bb9d241ee mes5/x86_64/postgresql8.3-server-8.3.19-0.1mdvmes5.2.x86_64.rpm f3f4560c3e22be0110284cefbcf1b693 mes5/SRPMS/postgresql8.3-8.3.19-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFP2xZxmqjQ0CJFipgRAq4rAKDee6j9zabxWckO7x8NB4WU553yoQCgtrQu /eGpYDiMrc6Dk0Vt0PkXpCg= =bUYY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists