lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1SfXOX-0008JY-3x@titan.mandriva.com>
Date: Fri, 15 Jun 2012 16:21:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:092 ] postgresql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:092
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postgresql
 Date    : June 15, 2012
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 postgresql:
 
 Fix incorrect password transformation in contrib/pgcrypto&#039;s DES
 crypt() function (Solar Designer). If a password string contained the
 byte value 0x80, the remainder of the password was ignored, causing
 the password to be much weaker than it appeared. With this fix, the
 rest of the string is properly included in the DES hash. Any stored
 password values that are affected by this bug will thus no longer
 match, so the stored values may need to be updated (CVE-2012-2143).
 
 Ignore SECURITY DEFINER and SET attributes for a procedural language&#039;s
 call handler (Tom Lane). Applying such attributes to a call handler
 could crash the server (CVE-2012-2655).
 
 This advisory provides the latest versions of PostgreSQL that is not
 vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2655
 http://www.postgresql.org/docs/8.3/static/release-8-3-19.html
 http://www.postgresql.org/docs/8.4/static/release-8-4-12.html
 http://www.postgresql.org/docs/9.0/static/release-9-0-8.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 31e716bcf05db9b48f3550a71240c0c5  2010.1/i586/libecpg8.4_6-8.4.12-0.1mdv2010.2.i586.rpm
 2b06427838d6c9da9e3a2250d46bbf77  2010.1/i586/libpq8.4_5-8.4.12-0.1mdv2010.2.i586.rpm
 0d9eea713a681f0a1afe5058c8858508  2010.1/i586/postgresql8.4-8.4.12-0.1mdv2010.2.i586.rpm
 f469befc008741292b48f676f6e7594b  2010.1/i586/postgresql8.4-contrib-8.4.12-0.1mdv2010.2.i586.rpm
 cd43a60afb151f41e5532cbfdbd87a8f  2010.1/i586/postgresql8.4-devel-8.4.12-0.1mdv2010.2.i586.rpm
 8242397b23fcd4dadf95aedecddc9bbd  2010.1/i586/postgresql8.4-docs-8.4.12-0.1mdv2010.2.i586.rpm
 193eff696b587b39ea2d76d389b9588d  2010.1/i586/postgresql8.4-pl-8.4.12-0.1mdv2010.2.i586.rpm
 cfe0dfff1179eadb28367137062e3f63  2010.1/i586/postgresql8.4-plperl-8.4.12-0.1mdv2010.2.i586.rpm
 2ddf2d0e3ffc6a42f5fe7b59d4cb397c  2010.1/i586/postgresql8.4-plpgsql-8.4.12-0.1mdv2010.2.i586.rpm
 1692696454818be65ebd6843b2071af1  2010.1/i586/postgresql8.4-plpython-8.4.12-0.1mdv2010.2.i586.rpm
 0663c2e4731f0b251eeaa945b7063867  2010.1/i586/postgresql8.4-pltcl-8.4.12-0.1mdv2010.2.i586.rpm
 a4e20a562ea2cfe827ed740276c26fff  2010.1/i586/postgresql8.4-server-8.4.12-0.1mdv2010.2.i586.rpm 
 87ec6e03f819dfd6a6d0ddd4b49faada  2010.1/SRPMS/postgresql8.4-8.4.12-0.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 952ffec02dacc14529546c038f1620d1  2010.1/x86_64/lib64ecpg8.4_6-8.4.12-0.1mdv2010.2.x86_64.rpm
 4fabe0b7c83ce1316e05704947278165  2010.1/x86_64/lib64pq8.4_5-8.4.12-0.1mdv2010.2.x86_64.rpm
 57691383c476a7ec09ecd8ea59e63ffe  2010.1/x86_64/postgresql8.4-8.4.12-0.1mdv2010.2.x86_64.rpm
 95f22a8e62f990643caae129102154d1  2010.1/x86_64/postgresql8.4-contrib-8.4.12-0.1mdv2010.2.x86_64.rpm
 328fd48956c65b492c6ac581a3bc5e96  2010.1/x86_64/postgresql8.4-devel-8.4.12-0.1mdv2010.2.x86_64.rpm
 aaff2d79751fcf79d725774abcc0775c  2010.1/x86_64/postgresql8.4-docs-8.4.12-0.1mdv2010.2.x86_64.rpm
 e417de571aa3411c67197ef43d4e9b99  2010.1/x86_64/postgresql8.4-pl-8.4.12-0.1mdv2010.2.x86_64.rpm
 f7533cef4e593926bc010f4260f7b1b1  2010.1/x86_64/postgresql8.4-plperl-8.4.12-0.1mdv2010.2.x86_64.rpm
 52e34c35fc3b0edf76e557d6a3631948  2010.1/x86_64/postgresql8.4-plpgsql-8.4.12-0.1mdv2010.2.x86_64.rpm
 70fe1e458b09d882ed4d30245cb28e6e  2010.1/x86_64/postgresql8.4-plpython-8.4.12-0.1mdv2010.2.x86_64.rpm
 5922cc411a1a0da57f73d774455e30c3  2010.1/x86_64/postgresql8.4-pltcl-8.4.12-0.1mdv2010.2.x86_64.rpm
 ba669c2058fa72a3861b6631b2dd0933  2010.1/x86_64/postgresql8.4-server-8.4.12-0.1mdv2010.2.x86_64.rpm 
 87ec6e03f819dfd6a6d0ddd4b49faada  2010.1/SRPMS/postgresql8.4-8.4.12-0.1mdv2010.2.src.rpm

 Mandriva Linux 2011:
 bfc282293884669f2f9a70a496b8fdbf  2011/i586/libecpg9.0_6-9.0.8-0.1-mdv2011.0.i586.rpm
 26e6ef59c62c9e60022cb46531b43fe8  2011/i586/libpq9.0_5-9.0.8-0.1-mdv2011.0.i586.rpm
 63fa0fdeffc3d6c6649298243528be32  2011/i586/postgresql9.0-9.0.8-0.1-mdv2011.0.i586.rpm
 3fb6213e2b73d974d2487cc6b63ae93c  2011/i586/postgresql9.0-contrib-9.0.8-0.1-mdv2011.0.i586.rpm
 8724432a78b0405a47871472d3833450  2011/i586/postgresql9.0-devel-9.0.8-0.1-mdv2011.0.i586.rpm
 55ed204a26f7caa0e9923dd5fe64a343  2011/i586/postgresql9.0-docs-9.0.8-0.1-mdv2011.0.i586.rpm
 e2b291ed6993681fb5fdf778d0aa3001  2011/i586/postgresql9.0-pl-9.0.8-0.1-mdv2011.0.i586.rpm
 d854e2c7cbe287ec9752517de725a95e  2011/i586/postgresql9.0-plperl-9.0.8-0.1-mdv2011.0.i586.rpm
 812ff48ff0ae3080cd4caa91c71aecaf  2011/i586/postgresql9.0-plpgsql-9.0.8-0.1-mdv2011.0.i586.rpm
 d6ccf9a1ea0de1d2181beb8905ecb147  2011/i586/postgresql9.0-plpython-9.0.8-0.1-mdv2011.0.i586.rpm
 911db5377d27dadd70f69a40c2fdcac0  2011/i586/postgresql9.0-pltcl-9.0.8-0.1-mdv2011.0.i586.rpm
 edb9c92ece4940f59fbcd64483ca1e9d  2011/i586/postgresql9.0-server-9.0.8-0.1-mdv2011.0.i586.rpm 
 577118b95056f170481457c9b3e53c7d  2011/SRPMS/postgresql9.0-9.0.8-0.1.src.rpm

 Mandriva Linux 2011/X86_64:
 2aef3f6f025d8b4e9747358aaf252b4e  2011/x86_64/lib64ecpg9.0_6-9.0.8-0.1-mdv2011.0.x86_64.rpm
 f57f9ed8f01b83b26d8c602455c1cc26  2011/x86_64/lib64pq9.0_5-9.0.8-0.1-mdv2011.0.x86_64.rpm
 2c101ccdf890faa85f13b1ad04fd8262  2011/x86_64/postgresql9.0-9.0.8-0.1-mdv2011.0.x86_64.rpm
 88c2f34ca727db81361c671b258e9fad  2011/x86_64/postgresql9.0-contrib-9.0.8-0.1-mdv2011.0.x86_64.rpm
 0be1ff112f06f3f2163fdb117ff2a5a4  2011/x86_64/postgresql9.0-devel-9.0.8-0.1-mdv2011.0.x86_64.rpm
 e818dd4f45cacc4b0f864b143478acef  2011/x86_64/postgresql9.0-docs-9.0.8-0.1-mdv2011.0.x86_64.rpm
 23acd229918a41efc3c628dd83cbd7e6  2011/x86_64/postgresql9.0-pl-9.0.8-0.1-mdv2011.0.x86_64.rpm
 c23b0d3fbe747bd1924454be72865e7f  2011/x86_64/postgresql9.0-plperl-9.0.8-0.1-mdv2011.0.x86_64.rpm
 625a3d7a6801b91432ac3cb5fb8b352e  2011/x86_64/postgresql9.0-plpgsql-9.0.8-0.1-mdv2011.0.x86_64.rpm
 d13395955947682259ec2ffe4487ec79  2011/x86_64/postgresql9.0-plpython-9.0.8-0.1-mdv2011.0.x86_64.rpm
 be8318a2b1570ab6ed533c7307792e6f  2011/x86_64/postgresql9.0-pltcl-9.0.8-0.1-mdv2011.0.x86_64.rpm
 7af925cf49133dffda95ac4523c2c961  2011/x86_64/postgresql9.0-server-9.0.8-0.1-mdv2011.0.x86_64.rpm 
 577118b95056f170481457c9b3e53c7d  2011/SRPMS/postgresql9.0-9.0.8-0.1.src.rpm

 Mandriva Enterprise Server 5:
 7c2b370fc22fd1ebbbedd6e270661277  mes5/i586/libecpg8.3_6-8.3.19-0.1mdvmes5.2.i586.rpm
 e9f17b9bc34e8dd6121a1b664d0a9c16  mes5/i586/libpq8.3_5-8.3.19-0.1mdvmes5.2.i586.rpm
 ed02218566620f2fcfc51325751b0942  mes5/i586/postgresql8.3-8.3.19-0.1mdvmes5.2.i586.rpm
 386a86f8d0e0ef2614a7a0cbce99e979  mes5/i586/postgresql8.3-contrib-8.3.19-0.1mdvmes5.2.i586.rpm
 6fcce2c1c2322d1f5ee9a31ec9a6b1d2  mes5/i586/postgresql8.3-devel-8.3.19-0.1mdvmes5.2.i586.rpm
 4f83f9daad2541d590ca62b8699f3095  mes5/i586/postgresql8.3-docs-8.3.19-0.1mdvmes5.2.i586.rpm
 5d196e70073f0afb8ab2b670cf52eb85  mes5/i586/postgresql8.3-pl-8.3.19-0.1mdvmes5.2.i586.rpm
 ec6704ff7cef00a7edfad27a9b2d7a6a  mes5/i586/postgresql8.3-plperl-8.3.19-0.1mdvmes5.2.i586.rpm
 81bbf33a83a01d53ef68b4651307569d  mes5/i586/postgresql8.3-plpgsql-8.3.19-0.1mdvmes5.2.i586.rpm
 fa8ee6cf056461f70307acd625515a41  mes5/i586/postgresql8.3-plpython-8.3.19-0.1mdvmes5.2.i586.rpm
 0d9794e78fc46b17d383ea201649bc27  mes5/i586/postgresql8.3-pltcl-8.3.19-0.1mdvmes5.2.i586.rpm
 67045bfceea8b7bf27941caafe519a6f  mes5/i586/postgresql8.3-server-8.3.19-0.1mdvmes5.2.i586.rpm 
 f3f4560c3e22be0110284cefbcf1b693  mes5/SRPMS/postgresql8.3-8.3.19-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 cdebff28e4c60391dfd2dc52f978b993  mes5/x86_64/lib64ecpg8.3_6-8.3.19-0.1mdvmes5.2.x86_64.rpm
 ff60d315fdc1e8a791757b2911d236fc  mes5/x86_64/lib64pq8.3_5-8.3.19-0.1mdvmes5.2.x86_64.rpm
 bad82ecc2ad8b57f4a32eeaaa87ea187  mes5/x86_64/postgresql8.3-8.3.19-0.1mdvmes5.2.x86_64.rpm
 2ec6ff1a8c5539a2944e0de48b9d2a02  mes5/x86_64/postgresql8.3-contrib-8.3.19-0.1mdvmes5.2.x86_64.rpm
 ff1306012e49ce28f2dcae3aae999f5a  mes5/x86_64/postgresql8.3-devel-8.3.19-0.1mdvmes5.2.x86_64.rpm
 4f5f5ffa2b00e51ce059ed5a702013af  mes5/x86_64/postgresql8.3-docs-8.3.19-0.1mdvmes5.2.x86_64.rpm
 be8117ab9602c3f5f72fa1808b9dce30  mes5/x86_64/postgresql8.3-pl-8.3.19-0.1mdvmes5.2.x86_64.rpm
 cfb91f455841dbbecf55c5a7303aaf17  mes5/x86_64/postgresql8.3-plperl-8.3.19-0.1mdvmes5.2.x86_64.rpm
 a976913613397da80a91dd6219e0db2d  mes5/x86_64/postgresql8.3-plpgsql-8.3.19-0.1mdvmes5.2.x86_64.rpm
 b0bc7cf21a30d568b829161e28eeb966  mes5/x86_64/postgresql8.3-plpython-8.3.19-0.1mdvmes5.2.x86_64.rpm
 2df355defa38bcf9131f7ef339748bbf  mes5/x86_64/postgresql8.3-pltcl-8.3.19-0.1mdvmes5.2.x86_64.rpm
 2ccf2a380d34cb0ecebda54bb9d241ee  mes5/x86_64/postgresql8.3-server-8.3.19-0.1mdvmes5.2.x86_64.rpm 
 f3f4560c3e22be0110284cefbcf1b693  mes5/SRPMS/postgresql8.3-8.3.19-0.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFP2xZxmqjQ0CJFipgRAq4rAKDee6j9zabxWckO7x8NB4WU553yoQCgtrQu
/eGpYDiMrc6Dk0Vt0PkXpCg=
=bUYY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ