[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1SfXOX-0008JY-3x@titan.mandriva.com>
Date: Fri, 15 Jun 2012 16:21:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:092 ] postgresql
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:092
http://www.mandriva.com/security/
_______________________________________________________________________
Package : postgresql
Date : June 15, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in
postgresql:
Fix incorrect password transformation in contrib/pgcrypto's DES
crypt() function (Solar Designer). If a password string contained the
byte value 0x80, the remainder of the password was ignored, causing
the password to be much weaker than it appeared. With this fix, the
rest of the string is properly included in the DES hash. Any stored
password values that are affected by this bug will thus no longer
match, so the stored values may need to be updated (CVE-2012-2143).
Ignore SECURITY DEFINER and SET attributes for a procedural language's
call handler (Tom Lane). Applying such attributes to a call handler
could crash the server (CVE-2012-2655).
This advisory provides the latest versions of PostgreSQL that is not
vulnerable to these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2655
http://www.postgresql.org/docs/8.3/static/release-8-3-19.html
http://www.postgresql.org/docs/8.4/static/release-8-4-12.html
http://www.postgresql.org/docs/9.0/static/release-9-0-8.html
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
31e716bcf05db9b48f3550a71240c0c5 2010.1/i586/libecpg8.4_6-8.4.12-0.1mdv2010.2.i586.rpm
2b06427838d6c9da9e3a2250d46bbf77 2010.1/i586/libpq8.4_5-8.4.12-0.1mdv2010.2.i586.rpm
0d9eea713a681f0a1afe5058c8858508 2010.1/i586/postgresql8.4-8.4.12-0.1mdv2010.2.i586.rpm
f469befc008741292b48f676f6e7594b 2010.1/i586/postgresql8.4-contrib-8.4.12-0.1mdv2010.2.i586.rpm
cd43a60afb151f41e5532cbfdbd87a8f 2010.1/i586/postgresql8.4-devel-8.4.12-0.1mdv2010.2.i586.rpm
8242397b23fcd4dadf95aedecddc9bbd 2010.1/i586/postgresql8.4-docs-8.4.12-0.1mdv2010.2.i586.rpm
193eff696b587b39ea2d76d389b9588d 2010.1/i586/postgresql8.4-pl-8.4.12-0.1mdv2010.2.i586.rpm
cfe0dfff1179eadb28367137062e3f63 2010.1/i586/postgresql8.4-plperl-8.4.12-0.1mdv2010.2.i586.rpm
2ddf2d0e3ffc6a42f5fe7b59d4cb397c 2010.1/i586/postgresql8.4-plpgsql-8.4.12-0.1mdv2010.2.i586.rpm
1692696454818be65ebd6843b2071af1 2010.1/i586/postgresql8.4-plpython-8.4.12-0.1mdv2010.2.i586.rpm
0663c2e4731f0b251eeaa945b7063867 2010.1/i586/postgresql8.4-pltcl-8.4.12-0.1mdv2010.2.i586.rpm
a4e20a562ea2cfe827ed740276c26fff 2010.1/i586/postgresql8.4-server-8.4.12-0.1mdv2010.2.i586.rpm
87ec6e03f819dfd6a6d0ddd4b49faada 2010.1/SRPMS/postgresql8.4-8.4.12-0.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
952ffec02dacc14529546c038f1620d1 2010.1/x86_64/lib64ecpg8.4_6-8.4.12-0.1mdv2010.2.x86_64.rpm
4fabe0b7c83ce1316e05704947278165 2010.1/x86_64/lib64pq8.4_5-8.4.12-0.1mdv2010.2.x86_64.rpm
57691383c476a7ec09ecd8ea59e63ffe 2010.1/x86_64/postgresql8.4-8.4.12-0.1mdv2010.2.x86_64.rpm
95f22a8e62f990643caae129102154d1 2010.1/x86_64/postgresql8.4-contrib-8.4.12-0.1mdv2010.2.x86_64.rpm
328fd48956c65b492c6ac581a3bc5e96 2010.1/x86_64/postgresql8.4-devel-8.4.12-0.1mdv2010.2.x86_64.rpm
aaff2d79751fcf79d725774abcc0775c 2010.1/x86_64/postgresql8.4-docs-8.4.12-0.1mdv2010.2.x86_64.rpm
e417de571aa3411c67197ef43d4e9b99 2010.1/x86_64/postgresql8.4-pl-8.4.12-0.1mdv2010.2.x86_64.rpm
f7533cef4e593926bc010f4260f7b1b1 2010.1/x86_64/postgresql8.4-plperl-8.4.12-0.1mdv2010.2.x86_64.rpm
52e34c35fc3b0edf76e557d6a3631948 2010.1/x86_64/postgresql8.4-plpgsql-8.4.12-0.1mdv2010.2.x86_64.rpm
70fe1e458b09d882ed4d30245cb28e6e 2010.1/x86_64/postgresql8.4-plpython-8.4.12-0.1mdv2010.2.x86_64.rpm
5922cc411a1a0da57f73d774455e30c3 2010.1/x86_64/postgresql8.4-pltcl-8.4.12-0.1mdv2010.2.x86_64.rpm
ba669c2058fa72a3861b6631b2dd0933 2010.1/x86_64/postgresql8.4-server-8.4.12-0.1mdv2010.2.x86_64.rpm
87ec6e03f819dfd6a6d0ddd4b49faada 2010.1/SRPMS/postgresql8.4-8.4.12-0.1mdv2010.2.src.rpm
Mandriva Linux 2011:
bfc282293884669f2f9a70a496b8fdbf 2011/i586/libecpg9.0_6-9.0.8-0.1-mdv2011.0.i586.rpm
26e6ef59c62c9e60022cb46531b43fe8 2011/i586/libpq9.0_5-9.0.8-0.1-mdv2011.0.i586.rpm
63fa0fdeffc3d6c6649298243528be32 2011/i586/postgresql9.0-9.0.8-0.1-mdv2011.0.i586.rpm
3fb6213e2b73d974d2487cc6b63ae93c 2011/i586/postgresql9.0-contrib-9.0.8-0.1-mdv2011.0.i586.rpm
8724432a78b0405a47871472d3833450 2011/i586/postgresql9.0-devel-9.0.8-0.1-mdv2011.0.i586.rpm
55ed204a26f7caa0e9923dd5fe64a343 2011/i586/postgresql9.0-docs-9.0.8-0.1-mdv2011.0.i586.rpm
e2b291ed6993681fb5fdf778d0aa3001 2011/i586/postgresql9.0-pl-9.0.8-0.1-mdv2011.0.i586.rpm
d854e2c7cbe287ec9752517de725a95e 2011/i586/postgresql9.0-plperl-9.0.8-0.1-mdv2011.0.i586.rpm
812ff48ff0ae3080cd4caa91c71aecaf 2011/i586/postgresql9.0-plpgsql-9.0.8-0.1-mdv2011.0.i586.rpm
d6ccf9a1ea0de1d2181beb8905ecb147 2011/i586/postgresql9.0-plpython-9.0.8-0.1-mdv2011.0.i586.rpm
911db5377d27dadd70f69a40c2fdcac0 2011/i586/postgresql9.0-pltcl-9.0.8-0.1-mdv2011.0.i586.rpm
edb9c92ece4940f59fbcd64483ca1e9d 2011/i586/postgresql9.0-server-9.0.8-0.1-mdv2011.0.i586.rpm
577118b95056f170481457c9b3e53c7d 2011/SRPMS/postgresql9.0-9.0.8-0.1.src.rpm
Mandriva Linux 2011/X86_64:
2aef3f6f025d8b4e9747358aaf252b4e 2011/x86_64/lib64ecpg9.0_6-9.0.8-0.1-mdv2011.0.x86_64.rpm
f57f9ed8f01b83b26d8c602455c1cc26 2011/x86_64/lib64pq9.0_5-9.0.8-0.1-mdv2011.0.x86_64.rpm
2c101ccdf890faa85f13b1ad04fd8262 2011/x86_64/postgresql9.0-9.0.8-0.1-mdv2011.0.x86_64.rpm
88c2f34ca727db81361c671b258e9fad 2011/x86_64/postgresql9.0-contrib-9.0.8-0.1-mdv2011.0.x86_64.rpm
0be1ff112f06f3f2163fdb117ff2a5a4 2011/x86_64/postgresql9.0-devel-9.0.8-0.1-mdv2011.0.x86_64.rpm
e818dd4f45cacc4b0f864b143478acef 2011/x86_64/postgresql9.0-docs-9.0.8-0.1-mdv2011.0.x86_64.rpm
23acd229918a41efc3c628dd83cbd7e6 2011/x86_64/postgresql9.0-pl-9.0.8-0.1-mdv2011.0.x86_64.rpm
c23b0d3fbe747bd1924454be72865e7f 2011/x86_64/postgresql9.0-plperl-9.0.8-0.1-mdv2011.0.x86_64.rpm
625a3d7a6801b91432ac3cb5fb8b352e 2011/x86_64/postgresql9.0-plpgsql-9.0.8-0.1-mdv2011.0.x86_64.rpm
d13395955947682259ec2ffe4487ec79 2011/x86_64/postgresql9.0-plpython-9.0.8-0.1-mdv2011.0.x86_64.rpm
be8318a2b1570ab6ed533c7307792e6f 2011/x86_64/postgresql9.0-pltcl-9.0.8-0.1-mdv2011.0.x86_64.rpm
7af925cf49133dffda95ac4523c2c961 2011/x86_64/postgresql9.0-server-9.0.8-0.1-mdv2011.0.x86_64.rpm
577118b95056f170481457c9b3e53c7d 2011/SRPMS/postgresql9.0-9.0.8-0.1.src.rpm
Mandriva Enterprise Server 5:
7c2b370fc22fd1ebbbedd6e270661277 mes5/i586/libecpg8.3_6-8.3.19-0.1mdvmes5.2.i586.rpm
e9f17b9bc34e8dd6121a1b664d0a9c16 mes5/i586/libpq8.3_5-8.3.19-0.1mdvmes5.2.i586.rpm
ed02218566620f2fcfc51325751b0942 mes5/i586/postgresql8.3-8.3.19-0.1mdvmes5.2.i586.rpm
386a86f8d0e0ef2614a7a0cbce99e979 mes5/i586/postgresql8.3-contrib-8.3.19-0.1mdvmes5.2.i586.rpm
6fcce2c1c2322d1f5ee9a31ec9a6b1d2 mes5/i586/postgresql8.3-devel-8.3.19-0.1mdvmes5.2.i586.rpm
4f83f9daad2541d590ca62b8699f3095 mes5/i586/postgresql8.3-docs-8.3.19-0.1mdvmes5.2.i586.rpm
5d196e70073f0afb8ab2b670cf52eb85 mes5/i586/postgresql8.3-pl-8.3.19-0.1mdvmes5.2.i586.rpm
ec6704ff7cef00a7edfad27a9b2d7a6a mes5/i586/postgresql8.3-plperl-8.3.19-0.1mdvmes5.2.i586.rpm
81bbf33a83a01d53ef68b4651307569d mes5/i586/postgresql8.3-plpgsql-8.3.19-0.1mdvmes5.2.i586.rpm
fa8ee6cf056461f70307acd625515a41 mes5/i586/postgresql8.3-plpython-8.3.19-0.1mdvmes5.2.i586.rpm
0d9794e78fc46b17d383ea201649bc27 mes5/i586/postgresql8.3-pltcl-8.3.19-0.1mdvmes5.2.i586.rpm
67045bfceea8b7bf27941caafe519a6f mes5/i586/postgresql8.3-server-8.3.19-0.1mdvmes5.2.i586.rpm
f3f4560c3e22be0110284cefbcf1b693 mes5/SRPMS/postgresql8.3-8.3.19-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
cdebff28e4c60391dfd2dc52f978b993 mes5/x86_64/lib64ecpg8.3_6-8.3.19-0.1mdvmes5.2.x86_64.rpm
ff60d315fdc1e8a791757b2911d236fc mes5/x86_64/lib64pq8.3_5-8.3.19-0.1mdvmes5.2.x86_64.rpm
bad82ecc2ad8b57f4a32eeaaa87ea187 mes5/x86_64/postgresql8.3-8.3.19-0.1mdvmes5.2.x86_64.rpm
2ec6ff1a8c5539a2944e0de48b9d2a02 mes5/x86_64/postgresql8.3-contrib-8.3.19-0.1mdvmes5.2.x86_64.rpm
ff1306012e49ce28f2dcae3aae999f5a mes5/x86_64/postgresql8.3-devel-8.3.19-0.1mdvmes5.2.x86_64.rpm
4f5f5ffa2b00e51ce059ed5a702013af mes5/x86_64/postgresql8.3-docs-8.3.19-0.1mdvmes5.2.x86_64.rpm
be8117ab9602c3f5f72fa1808b9dce30 mes5/x86_64/postgresql8.3-pl-8.3.19-0.1mdvmes5.2.x86_64.rpm
cfb91f455841dbbecf55c5a7303aaf17 mes5/x86_64/postgresql8.3-plperl-8.3.19-0.1mdvmes5.2.x86_64.rpm
a976913613397da80a91dd6219e0db2d mes5/x86_64/postgresql8.3-plpgsql-8.3.19-0.1mdvmes5.2.x86_64.rpm
b0bc7cf21a30d568b829161e28eeb966 mes5/x86_64/postgresql8.3-plpython-8.3.19-0.1mdvmes5.2.x86_64.rpm
2df355defa38bcf9131f7ef339748bbf mes5/x86_64/postgresql8.3-pltcl-8.3.19-0.1mdvmes5.2.x86_64.rpm
2ccf2a380d34cb0ecebda54bb9d241ee mes5/x86_64/postgresql8.3-server-8.3.19-0.1mdvmes5.2.x86_64.rpm
f3f4560c3e22be0110284cefbcf1b693 mes5/SRPMS/postgresql8.3-8.3.19-0.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFP2xZxmqjQ0CJFipgRAq4rAKDee6j9zabxWckO7x8NB4WU553yoQCgtrQu
/eGpYDiMrc6Dk0Vt0PkXpCg=
=bUYY
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists