lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1T34fh-0004Za-Fx@titan.mandriva.com>
Date: Sun, 19 Aug 2012 14:32:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:139 ] postgresql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:139
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postgresql
 Date    : August 19, 2012
 Affected: 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 postgresql:
 
 Prevent access to external files/URLs via contrib/xml2&#039;s xslt_process()
 (Peter Eisentraut). libxslt offers the ability to read and write both
 files and URLs through stylesheet commands, thus allowing unprivileged
 database users to both read and write data with the privileges of the
 database server. Disable that through proper use of libxslt&#039;s security
 options (CVE-2012-3488). Also, remove xslt_process()&#039;s ability to
 fetch documents and stylesheets from external files/URLs. While this
 was a documented feature, it was long regarded as a bad idea. The
 fix for CVE-2012-3489 broke that capability, and rather than expend
 effort on trying to fix it, we&#039;re just going to summarily remove it.
 
 Prevent access to external files/URLs via XML entity references (Noah
 Misch, Tom Lane). xml_parse() would attempt to fetch external files or
 URLs as needed to resolve DTD and entity references in an XML value,
 thus allowing unprivileged database users to attempt to fetch data
 with the privileges of the database server. While the external data
 wouldn&#039;t get returned directly to the user, portions of it could
 be exposed in error messages if the data didn&#039;t parse as valid XML;
 and in any case the mere ability to check existence of a file might
 be useful to an attacker (CVE-2012-3489).
 
 This advisory provides the latest versions of PostgreSQL that is not
 vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489
 http://www.postgresql.org/about/news/1407/
 http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
 http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2011:
 196d4c453d0ea6c9b91a50ebb0660c94  2011/i586/libecpg9.0_6-9.0.9-0.1-mdv2011.0.i586.rpm
 5a791aa21447cdfb520e2753c5bd36a1  2011/i586/libpq9.0_5-9.0.9-0.1-mdv2011.0.i586.rpm
 3bbec24584ccda7e7d3c30bba1c1def0  2011/i586/postgresql9.0-9.0.9-0.1-mdv2011.0.i586.rpm
 ce144f4becc8a0c562b461bcba05b922  2011/i586/postgresql9.0-contrib-9.0.9-0.1-mdv2011.0.i586.rpm
 3310b81e20f7d2d562fd98f982c68e28  2011/i586/postgresql9.0-devel-9.0.9-0.1-mdv2011.0.i586.rpm
 cacace6acc9fd05e020a430d4c091383  2011/i586/postgresql9.0-docs-9.0.9-0.1-mdv2011.0.i586.rpm
 20ae65681ecd7ac3e40edb247d0b1d2e  2011/i586/postgresql9.0-pl-9.0.9-0.1-mdv2011.0.i586.rpm
 5bebf45d073b818304bc66d2f4eda39c  2011/i586/postgresql9.0-plperl-9.0.9-0.1-mdv2011.0.i586.rpm
 8c5b2d6cdc797d9b7f8ba2f1dee783ed  2011/i586/postgresql9.0-plpgsql-9.0.9-0.1-mdv2011.0.i586.rpm
 b0a03b213b5db60fafbc86a592599155  2011/i586/postgresql9.0-plpython-9.0.9-0.1-mdv2011.0.i586.rpm
 a20c98e08cc2c388b6e233ee0517a230  2011/i586/postgresql9.0-pltcl-9.0.9-0.1-mdv2011.0.i586.rpm
 c53a458d42a14780e03e403903a5319b  2011/i586/postgresql9.0-server-9.0.9-0.1-mdv2011.0.i586.rpm 
 36fa3265c3f4d9b5c65a91b592443a8d  2011/SRPMS/postgresql9.0-9.0.9-0.1.src.rpm

 Mandriva Linux 2011/X86_64:
 2ae73fbfca7b001b81f8a4c410756585  2011/x86_64/lib64ecpg9.0_6-9.0.9-0.1-mdv2011.0.x86_64.rpm
 9f2c53c2780cd5df8ab7fe10e20abf66  2011/x86_64/lib64pq9.0_5-9.0.9-0.1-mdv2011.0.x86_64.rpm
 49d5fe371c007064449ba8c11e908751  2011/x86_64/postgresql9.0-9.0.9-0.1-mdv2011.0.x86_64.rpm
 cb0fda294ac239e0cb8e5463103d9076  2011/x86_64/postgresql9.0-contrib-9.0.9-0.1-mdv2011.0.x86_64.rpm
 b0f33c74737d0f129d8572c1f0b3a493  2011/x86_64/postgresql9.0-devel-9.0.9-0.1-mdv2011.0.x86_64.rpm
 b7fb440ae36b85113065b54e79734b5e  2011/x86_64/postgresql9.0-docs-9.0.9-0.1-mdv2011.0.x86_64.rpm
 d20fd9536064d6636cddc97152639fbf  2011/x86_64/postgresql9.0-pl-9.0.9-0.1-mdv2011.0.x86_64.rpm
 5760bba871a780691bdf95103aea5fd8  2011/x86_64/postgresql9.0-plperl-9.0.9-0.1-mdv2011.0.x86_64.rpm
 d6adff0aa5363abe028cb7d2c60e189f  2011/x86_64/postgresql9.0-plpgsql-9.0.9-0.1-mdv2011.0.x86_64.rpm
 e6f876785888e982e6e9548f806a940d  2011/x86_64/postgresql9.0-plpython-9.0.9-0.1-mdv2011.0.x86_64.rpm
 f7c3d0352a4b7d6447b968b6cc5f0671  2011/x86_64/postgresql9.0-pltcl-9.0.9-0.1-mdv2011.0.x86_64.rpm
 e0131e91fcfc39360147b344a31ec190  2011/x86_64/postgresql9.0-server-9.0.9-0.1-mdv2011.0.x86_64.rpm 
 36fa3265c3f4d9b5c65a91b592443a8d  2011/SRPMS/postgresql9.0-9.0.9-0.1.src.rpm

 Mandriva Enterprise Server 5:
 71a6b864aaf665b5a5c611be01639222  mes5/i586/libecpg8.3_6-8.3.20-0.1mdvmes5.2.i586.rpm
 375780b34c97dedb5e3427ecad37fe54  mes5/i586/libpq8.3_5-8.3.20-0.1mdvmes5.2.i586.rpm
 59879d7760529cf3f8eb41e387f47ce4  mes5/i586/postgresql8.3-8.3.20-0.1mdvmes5.2.i586.rpm
 c943954b66132a7eeba9fc65b91c4a44  mes5/i586/postgresql8.3-contrib-8.3.20-0.1mdvmes5.2.i586.rpm
 1fd7ed02e874d6194625c6a481a382c3  mes5/i586/postgresql8.3-devel-8.3.20-0.1mdvmes5.2.i586.rpm
 c8b7c6256d309c95779715cb6cfb1360  mes5/i586/postgresql8.3-docs-8.3.20-0.1mdvmes5.2.i586.rpm
 e2706137d16e6fb0ad22423778838b92  mes5/i586/postgresql8.3-pl-8.3.20-0.1mdvmes5.2.i586.rpm
 832605f323cb055d87399bf31bf9054e  mes5/i586/postgresql8.3-plperl-8.3.20-0.1mdvmes5.2.i586.rpm
 29c0c27a8c94584d7eb67fde4d59b41d  mes5/i586/postgresql8.3-plpgsql-8.3.20-0.1mdvmes5.2.i586.rpm
 b95973e404fc93fbeab6e7bb6ab8af11  mes5/i586/postgresql8.3-plpython-8.3.20-0.1mdvmes5.2.i586.rpm
 555a9ade690cb3c819bfab261a079b1e  mes5/i586/postgresql8.3-pltcl-8.3.20-0.1mdvmes5.2.i586.rpm
 638b114fc547941a1370330625128eb8  mes5/i586/postgresql8.3-server-8.3.20-0.1mdvmes5.2.i586.rpm 
 5ebe09e835e80ed707b7cde6d2b3e604  mes5/SRPMS/postgresql8.3-8.3.20-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 7dc4e838cc0a297b4bf8edc141433823  mes5/x86_64/lib64ecpg8.3_6-8.3.20-0.1mdvmes5.2.x86_64.rpm
 e7023ffaf92f90f9c8fc9fe66680fac4  mes5/x86_64/lib64pq8.3_5-8.3.20-0.1mdvmes5.2.x86_64.rpm
 3730cd0adf89537d44153fe147714067  mes5/x86_64/postgresql8.3-8.3.20-0.1mdvmes5.2.x86_64.rpm
 9bf71ccef0a419b4852d2836edbeae66  mes5/x86_64/postgresql8.3-contrib-8.3.20-0.1mdvmes5.2.x86_64.rpm
 3d4354bf90b86a6fc67337d96f20f17a  mes5/x86_64/postgresql8.3-devel-8.3.20-0.1mdvmes5.2.x86_64.rpm
 f0b220ef98af65bc84f63c0983a15805  mes5/x86_64/postgresql8.3-docs-8.3.20-0.1mdvmes5.2.x86_64.rpm
 42ccaa371cfc58997bd321a4fcc0d4e7  mes5/x86_64/postgresql8.3-pl-8.3.20-0.1mdvmes5.2.x86_64.rpm
 761a8157ece7989e00f21b6a18a5ab27  mes5/x86_64/postgresql8.3-plperl-8.3.20-0.1mdvmes5.2.x86_64.rpm
 51b264d1ed8ad7bfc06bdfdd77c172d1  mes5/x86_64/postgresql8.3-plpgsql-8.3.20-0.1mdvmes5.2.x86_64.rpm
 373686640467c04242bcb824f5471097  mes5/x86_64/postgresql8.3-plpython-8.3.20-0.1mdvmes5.2.x86_64.rpm
 382654b56d495ee4d1d680c8a7ee3a98  mes5/x86_64/postgresql8.3-pltcl-8.3.20-0.1mdvmes5.2.x86_64.rpm
 63bb9469727b0deb3ee368bd70cb1523  mes5/x86_64/postgresql8.3-server-8.3.20-0.1mdvmes5.2.x86_64.rpm 
 5ebe09e835e80ed707b7cde6d2b3e604  mes5/SRPMS/postgresql8.3-8.3.20-0.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQMK/dmqjQ0CJFipgRAv1SAKCVJZuA6JrpfmjlRD1MA5MLXsraBgCgviAU
vWkQPsW68PugeHxcB8/AkvI=
=deHH
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists