[ MDVSA-2012:026 ] postgresql



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:026
http://www.mandriva.com/security/
_______________________________________________________________________

Package : postgresql
Date : February 29, 2012
Affected: 2010.1, 2011.
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in
postgresql:

Permissions on a function called by a trigger are not properly checked
(CVE-2012-0866).

SSL certificate name checks are truncated to 32 characters, allowing
connection spoofing under some circumstances when using third party
certificate authorities (CVE-2012-0867).

Line breaks in object names can be exploited to execute arbitrary
SQL when reloading a pg_dump file (CVE-2012-0868).

This advisory provides the latest versions of PostgreSQL that is not
vulnerable to these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0868

http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.1:
05a4013a0634df4e8cdf169a50c9ec58 2010.1/i586/libecpg8.4_6-8.4.11-0.1mdv2010.2.i586.rpm
401a0d6d8a713613bda5333ab2932e8e 2010.1/i586/libpq8.4_5-8.4.11-0.1mdv2010.2.i586.rpm
325fc7f1e8d9753e77ea94cb36a7d702 2010.1/i586/postgresql8.4-8.4.11-0.1mdv2010.2.i586.rpm
11f758553ba01d0c7cf14822b964d244 2010.1/i586/postgresql8.4-contrib-8.4.11-0.1mdv2010.2.i586.rpm
a8511d0f4e723eeb69e34338b2a44f6e 2010.1/i586/postgresql8.4-devel-8.4.11-0.1mdv2010.2.i586.rpm
491480de895c21045ce61782b31686f4 2010.1/i586/postgresql8.4-docs-8.4.11-0.1mdv2010.2.i586.rpm
43a92413b230b92fc8fe366f8b77b252 2010.1/i586/postgresql8.4-pl-8.4.11-0.1mdv2010.2.i586.rpm
c68d94e1ccf0fc291a77976280c7a5b1 2010.1/i586/postgresql8.4-plperl-8.4.11-0.1mdv2010.2.i586.rpm
b176c3f91b3b3d0fd819db7aee7628a5 2010.1/i586/postgresql8.4-plpgsql-8.4.11-0.1mdv2010.2.i586.rpm
90b3f898d730ae27d8570f814c884361 2010.1/i586/postgresql8.4-plpython-8.4.11-0.1mdv2010.2.i586.rpm
fdb261871120d1099872528990ac4ecb 2010.1/i586/postgresql8.4-pltcl-8.4.11-0.1mdv2010.2.i586.rpm
2bd80e158701b25d2f3191bd536a1680 2010.1/i586/postgresql8.4-server-8.4.11-0.1mdv2010.2.i586.rpm
a1c05f1b89438e41b8dad632395f6e76 2010.1/SRPMS/postgresql8.4-8.4.11-0.1mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
8d00eac057a75900287ff76011d24a14 2010.1/x86_64/lib64ecpg8.4_6-8.4.11-0.1mdv2010.2.x86_64.rpm
63d87909037917014ace4068c2fdf4ed 2010.1/x86_64/lib64pq8.4_5-8.4.11-0.1mdv2010.2.x86_64.rpm
b5e17b5ef713a8626034384f9b11f537 2010.1/x86_64/postgresql8.4-8.4.11-0.1mdv2010.2.x86_64.rpm
377dc92be27f45e9a6205c6572a53a68 2010.1/x86_64/postgresql8.4-contrib-8.4.11-0.1mdv2010.2.x86_64.rpm
4cc7fa9fb0f099b3f909f74810b3fcb6 2010.1/x86_64/postgresql8.4-devel-8.4.11-0.1mdv2010.2.x86_64.rpm
cfdc1cb65acc9764caee7537aa54de0f 2010.1/x86_64/postgresql8.4-docs-8.4.11-0.1mdv2010.2.x86_64.rpm
ee278d87463be450d3cb8359d4f436df 2010.1/x86_64/postgresql8.4-pl-8.4.11-0.1mdv2010.2.x86_64.rpm
c6ab8ff58b96bcb93f36d95aaaebd042 2010.1/x86_64/postgresql8.4-plperl-8.4.11-0.1mdv2010.2.x86_64.rpm
c203e3403876f4b2e6985686d59c2f51 2010.1/x86_64/postgresql8.4-plpgsql-8.4.11-0.1mdv2010.2.x86_64.rpm
4ecfd5289218e1aa46786e698b0b1da1 2010.1/x86_64/postgresql8.4-plpython-8.4.11-0.1mdv2010.2.x86_64.rpm
a0b4adfe98a1165eec3810d1a770d79d 2010.1/x86_64/postgresql8.4-pltcl-8.4.11-0.1mdv2010.2.x86_64.rpm
6ebfada38479a846055c095604d3d45d 2010.1/x86_64/postgresql8.4-server-8.4.11-0.1mdv2010.2.x86_64.rpm
a1c05f1b89438e41b8dad632395f6e76 2010.1/SRPMS/postgresql8.4-8.4.11-0.1mdv2010.2.src.rpm

Mandriva Linux 2011:
25a1dd4d27d6bdc7289251ecb52f42d9 2011/i586/libecpg9.0_6-9.0.7-0.1-mdv2011.0.i586.rpm
4da4a70b065506d61eb0b3fae7e9a564 2011/i586/libpq9.0_5-9.0.7-0.1-mdv2011.0.i586.rpm
62aa0b5091ed185fbab1030acb7ba350 2011/i586/postgresql9.0-9.0.7-0.1-mdv2011.0.i586.rpm
a0c7f18e7d3c5946431fd2244dad900c 2011/i586/postgresql9.0-contrib-9.0.7-0.1-mdv2011.0.i586.rpm
858281c6438468c5c5ce9f3ed187ad35 2011/i586/postgresql9.0-devel-9.0.7-0.1-mdv2011.0.i586.rpm
5c5a07c75d046bf7a56561ec8f670916 2011/i586/postgresql9.0-docs-9.0.7-0.1-mdv2011.0.i586.rpm
99ed62f4866b74bb62372753568e1dca 2011/i586/postgresql9.0-pl-9.0.7-0.1-mdv2011.0.i586.rpm
2837096731c5b7f0d96e207190200b28 2011/i586/postgresql9.0-plperl-9.0.7-0.1-mdv2011.0.i586.rpm
121eb7ed014abdc70b3a9483cc228f2b 2011/i586/postgresql9.0-plpgsql-9.0.7-0.1-mdv2011.0.i586.rpm
c8a81e4d97a70bcea2673cae904c2d7d 2011/i586/postgresql9.0-plpython-9.0.7-0.1-mdv2011.0.i586.rpm
1c350ae5ab7f3d5dabce891d297acda0 2011/i586/postgresql9.0-pltcl-9.0.7-0.1-mdv2011.0.i586.rpm
ac89dd8500774df0e49626e63741429c 2011/i586/postgresql9.0-server-9.0.7-0.1-mdv2011.0.i586.rpm
2723eb57e9056fb5e3f76e2519b4fec7 2011/SRPMS/postgresql9.0-9.0.7-0.1.src.rpm

Mandriva Linux 2011/X86_64:
f6db63374053e409b305353151accd67 2011/x86_64/lib64ecpg9.0_6-9.0.7-0.1-mdv2011.0.x86_64.rpm
96370fd95fc2c3bdbe3a9a6ae648db8b 2011/x86_64/lib64pq9.0_5-9.0.7-0.1-mdv2011.0.x86_64.rpm
54380c9f81620f0a97733d1fa92667d5 2011/x86_64/postgresql9.0-9.0.7-0.1-mdv2011.0.x86_64.rpm
6c6b399ade5b4afd6a2539c27a9a8af1 2011/x86_64/postgresql9.0-contrib-9.0.7-0.1-mdv2011.0.x86_64.rpm
4eefae96bc5377d4032ddd61358f90b1 2011/x86_64/postgresql9.0-devel-9.0.7-0.1-mdv2011.0.x86_64.rpm
baa973ebb01ff2fa9255ad434cd8e309 2011/x86_64/postgresql9.0-docs-9.0.7-0.1-mdv2011.0.x86_64.rpm
5d3fcd9cf5f10032ffeb7278c9474b0f 2011/x86_64/postgresql9.0-pl-9.0.7-0.1-mdv2011.0.x86_64.rpm
4d56f0d01bfb7c5b62928ea2c78a2391 2011/x86_64/postgresql9.0-plperl-9.0.7-0.1-mdv2011.0.x86_64.rpm
2afb5526fb9eded60c8fca205de1d037 2011/x86_64/postgresql9.0-plpgsql-9.0.7-0.1-mdv2011.0.x86_64.rpm
378f8a4c4f1a8ac291d05d8d00d94e65 2011/x86_64/postgresql9.0-plpython-9.0.7-0.1-mdv2011.0.x86_64.rpm
e414f67368a7b600d491b753bde5a96a 2011/x86_64/postgresql9.0-pltcl-9.0.7-0.1-mdv2011.0.x86_64.rpm
3480e6f3303c4bd2f275afe0017a454d 2011/x86_64/postgresql9.0-server-9.0.7-0.1-mdv2011.0.x86_64.rpm
2723eb57e9056fb5e3f76e2519b4fec7 2011/SRPMS/postgresql9.0-9.0.7-0.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPThgZmqjQ0CJFipgRAsbQAJ9gVWSHEr8OFkGbkxTWnLLCuK7HnwCgxnas
bW8T0eHla0+VDyo5ZcKe2Ck=
=5uc+
-----END PGP SIGNATURE-----



Relevant Pages

  • [CLA-2002:524] Conectiva Linux Security Announcement - postgresql
    ... SUMMARY: Buffer overflow vulnerabilities ... Postgresqlis a sophisticated relational database which supports ... vulnerabilities in the postgresql database: ... It is recommended that all postgresql users upgrade their packages. ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2011:027 ] openoffice.org
    ... Multiple directory traversal vulnerabilities allow remote attackers ... OpenOffice.org packages have been updated in order to fix these ... Mandriva Linux 2009.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2011:027 ] openoffice.org
    ... Multiple directory traversal vulnerabilities allow remote attackers ... OpenOffice.org packages have been updated in order to fix these ... Mandriva Linux 2009.0/X86_64: ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2011:031 ] python-django
    ... Multiple vulnerabilities has been found and corrected in python-django: ... and 1.2.x before 1.2.5 might allow remote attackers to inject ... Updated Packages: ... Mandriva Linux 2010.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2011:031 ] python-django
    ... Multiple vulnerabilities has been found and corrected in python-django: ... and 1.2.x before 1.2.5 might allow remote attackers to inject ... Updated Packages: ... Mandriva Linux 2010.0/X86_64: ...
    (Bugtraq)