Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDKSA-2007:037-1 ] - Updated postgresql packages address multiple vulnerabilities
From: security () mandriva com
Date: Thu, 08 Feb 2007 17:48:13 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                       MDKSA-2007:037-1
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : postgresql
 Date    : February 8, 2007
 Affected: 2007.0, Corporate 4.0
 _______________________________________________________________________
 
 Problem Description:
 
 Jeff Trout discovered that the PostgreSQL server did not sufficiently
 check data types of SQL function arguments in some cases.  A user could
 then exploit this to crash the database server or read out arbitrary
 locations of the server's memory, which could be used to retrieve
 database contents that the user should not be able to see.  Note that a
 user must be authenticated in order to exploit this (CVE-2007-0555).

 As well, Jeff Trout also discovered that the query planner did not
 verify that a table was still compatible with a previously-generated
 query plan, which could be exploted to read out arbitrary locations of
 the server's memory by using ALTER COLUMN TYPE during query execution. 
 Again, a user must be authenticated in order to exploit this
 (CVE-2007-0556).

 Update:

 The previous update updated PostgreSQL to upstream versions, including
 8.1.7 which contained a bug with typemod data types used with check
 constraints and expression indexes.  This regression has been corrected
 in the new 8.1.8 version that is being provided.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 c90747c3f8b528b85b16642928752c59  2007.0/i586/libecpg5-8.1.8-1.1mdv2007.0.i586.rpm
 02a28236dbd9aa5d1060fddeb3c6f656  2007.0/i586/libecpg5-devel-8.1.8-1.1mdv2007.0.i586.rpm
 9113ea83c03b369d32c57e0b68325278  2007.0/i586/libpq4-8.1.8-1.1mdv2007.0.i586.rpm
 dff91d9381a47da6a3bfe5d6c3fe2519  2007.0/i586/libpq4-devel-8.1.8-1.1mdv2007.0.i586.rpm
 51969dfad9ba7a74e22882e1db7f559b  2007.0/i586/postgresql-8.1.8-1.1mdv2007.0.i586.rpm
 affaf35323d0583d759dbdc832792cc5  2007.0/i586/postgresql-contrib-8.1.8-1.1mdv2007.0.i586.rpm
 c25d7922f0984ea6947399dca9ec71c9  2007.0/i586/postgresql-devel-8.1.8-1.1mdv2007.0.i586.rpm
 de46e08411f5eb3d2349d9032b7a3b55  2007.0/i586/postgresql-docs-8.1.8-1.1mdv2007.0.i586.rpm
 64732375d78f10a418aaf84a843072a6  2007.0/i586/postgresql-pl-8.1.8-1.1mdv2007.0.i586.rpm
 443d82af4b6dec2df4955675913c1c57  2007.0/i586/postgresql-plperl-8.1.8-1.1mdv2007.0.i586.rpm
 4a38fd10cbc9ebb175710accdb265606  2007.0/i586/postgresql-plpgsql-8.1.8-1.1mdv2007.0.i586.rpm
 6f95a8cdae62756195214f593e47c16b  2007.0/i586/postgresql-plpython-8.1.8-1.1mdv2007.0.i586.rpm
 e19c9b2ecc7137ef425013f06a408647  2007.0/i586/postgresql-pltcl-8.1.8-1.1mdv2007.0.i586.rpm
 c25c09078350d7e44e04eca1bbf48247  2007.0/i586/postgresql-server-8.1.8-1.1mdv2007.0.i586.rpm
 5be6ca33b73216b8d84cfe3695c9f45e  2007.0/i586/postgresql-test-8.1.8-1.1mdv2007.0.i586.rpm 
 c2d53fbc9eace270498003c9bc6db702  2007.0/SRPMS/postgresql-8.1.8-1.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 9fa0cf41fc100317651fd335e42e89d8  2007.0/x86_64/lib64ecpg5-8.1.8-1.1mdv2007.0.x86_64.rpm
 ac631e1f5b06d734a14036e53e6c9799  2007.0/x86_64/lib64ecpg5-devel-8.1.8-1.1mdv2007.0.x86_64.rpm
 cc6a13d12741ee555d2e57795421db2c  2007.0/x86_64/lib64pq4-8.1.8-1.1mdv2007.0.x86_64.rpm
 96bdec5afaa2e0ecc39ce1234de157fd  2007.0/x86_64/lib64pq4-devel-8.1.8-1.1mdv2007.0.x86_64.rpm
 fe56c10801c62d066ffef1dfb3759478  2007.0/x86_64/postgresql-8.1.8-1.1mdv2007.0.x86_64.rpm
 bddf713d296a712ef564ef2386da28e7  2007.0/x86_64/postgresql-contrib-8.1.8-1.1mdv2007.0.x86_64.rpm
 8fae942233a8dd1d09d5decb79f0d42d  2007.0/x86_64/postgresql-devel-8.1.8-1.1mdv2007.0.x86_64.rpm
 66f8de3e958cbdd3c4a54ab33b3cd65b  2007.0/x86_64/postgresql-docs-8.1.8-1.1mdv2007.0.x86_64.rpm
 e10f521991c2a344b83dc41404a7bdc8  2007.0/x86_64/postgresql-pl-8.1.8-1.1mdv2007.0.x86_64.rpm
 0ee1f3f8b2a5ad525059a84411fa77cd  2007.0/x86_64/postgresql-plperl-8.1.8-1.1mdv2007.0.x86_64.rpm
 3bfd69ae9819b20d6e3b2d0f2f2914ee  2007.0/x86_64/postgresql-plpgsql-8.1.8-1.1mdv2007.0.x86_64.rpm
 d43c59da2cc8b94d29cba08dbb8dc5d7  2007.0/x86_64/postgresql-plpython-8.1.8-1.1mdv2007.0.x86_64.rpm
 cb4ca5a0639f6156c93d2847aee768e8  2007.0/x86_64/postgresql-pltcl-8.1.8-1.1mdv2007.0.x86_64.rpm
 4daa3593803d7e0b16f610ff0ba3140c  2007.0/x86_64/postgresql-server-8.1.8-1.1mdv2007.0.x86_64.rpm
 3fe5c0e800801ac0aad676c6d9c49cd7  2007.0/x86_64/postgresql-test-8.1.8-1.1mdv2007.0.x86_64.rpm 
 c2d53fbc9eace270498003c9bc6db702  2007.0/SRPMS/postgresql-8.1.8-1.1mdv2007.0.src.rpm

 Corporate 4.0:
 3646b7d3426103702434428a67144dea  corporate/4.0/i586/libecpg5-8.1.8-0.1.20060mlcs4.i586.rpm
 1c5bd6440fe39f52fb085295807d99b8  corporate/4.0/i586/libecpg5-devel-8.1.8-0.1.20060mlcs4.i586.rpm
 85ca75e8c44c87f9721f91da8fcff8c2  corporate/4.0/i586/libpq4-8.1.8-0.1.20060mlcs4.i586.rpm
 edcd0beb041c7453734c5c16a789a157  corporate/4.0/i586/libpq4-devel-8.1.8-0.1.20060mlcs4.i586.rpm
 9a7878356b498bed4489d75770c1d276  corporate/4.0/i586/postgresql-8.1.8-0.1.20060mlcs4.i586.rpm
 8656f3a7c9c2bb9dfff47d84cd7bca71  corporate/4.0/i586/postgresql-contrib-8.1.8-0.1.20060mlcs4.i586.rpm
 a1f44fd61edfb309c2f0477d18b4f25e  corporate/4.0/i586/postgresql-devel-8.1.8-0.1.20060mlcs4.i586.rpm
 3d4f14265c27d64d01cea5b1d87c2ca3  corporate/4.0/i586/postgresql-docs-8.1.8-0.1.20060mlcs4.i586.rpm
 0870c7e4c4f1c9948d4fa89a9755d344  corporate/4.0/i586/postgresql-pl-8.1.8-0.1.20060mlcs4.i586.rpm
 f430b170ee5798155c8e30c1da041d72  corporate/4.0/i586/postgresql-plperl-8.1.8-0.1.20060mlcs4.i586.rpm
 b5875fd10fe7e2296431762e95e1433e  corporate/4.0/i586/postgresql-plpgsql-8.1.8-0.1.20060mlcs4.i586.rpm
 b163388a7e53e73dc11164cb2ffb6069  corporate/4.0/i586/postgresql-plpython-8.1.8-0.1.20060mlcs4.i586.rpm
 8d34cb89cd0fb36c1d1f59fc94c296f5  corporate/4.0/i586/postgresql-pltcl-8.1.8-0.1.20060mlcs4.i586.rpm
 13c6da736f8d3cd712629435b2f97acd  corporate/4.0/i586/postgresql-server-8.1.8-0.1.20060mlcs4.i586.rpm
 fb84b767af0906777a463cc52c96ae82  corporate/4.0/i586/postgresql-test-8.1.8-0.1.20060mlcs4.i586.rpm 
 ecec0536648eedafd8d14c05f530a713  corporate/4.0/SRPMS/postgresql-8.1.8-0.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 de38a16b9ea4740ce062537e407f8dba  corporate/4.0/x86_64/lib64ecpg5-8.1.8-0.1.20060mlcs4.x86_64.rpm
 11bc707a0e4632ef7c2b4b0178ee41a3  corporate/4.0/x86_64/lib64ecpg5-devel-8.1.8-0.1.20060mlcs4.x86_64.rpm
 be32ff79999384264518fc36cddf6557  corporate/4.0/x86_64/lib64pq4-8.1.8-0.1.20060mlcs4.x86_64.rpm
 2a29c2a494239f4e868a26eb21d10fc1  corporate/4.0/x86_64/lib64pq4-devel-8.1.8-0.1.20060mlcs4.x86_64.rpm
 94e0e3b49c4dd3fe7c5ff53a16684ac6  corporate/4.0/x86_64/postgresql-8.1.8-0.1.20060mlcs4.x86_64.rpm
 6b98440fa37a0c36583338f21dab0ba5  corporate/4.0/x86_64/postgresql-contrib-8.1.8-0.1.20060mlcs4.x86_64.rpm
 437e389ba99fba84f0b0dd4498a2b065  corporate/4.0/x86_64/postgresql-devel-8.1.8-0.1.20060mlcs4.x86_64.rpm
 af7ff5bf6e597521678bdac8434db561  corporate/4.0/x86_64/postgresql-docs-8.1.8-0.1.20060mlcs4.x86_64.rpm
 a1df29f5b0aa54c60febfe6088c5a978  corporate/4.0/x86_64/postgresql-pl-8.1.8-0.1.20060mlcs4.x86_64.rpm
 dde134fa8ca3771556d30fa08de48065  corporate/4.0/x86_64/postgresql-plperl-8.1.8-0.1.20060mlcs4.x86_64.rpm
 1f3373ac4d916f8877c9e6bf7c534320  corporate/4.0/x86_64/postgresql-plpgsql-8.1.8-0.1.20060mlcs4.x86_64.rpm
 9808c3922aa7a331a004ba6bf73b5f75  corporate/4.0/x86_64/postgresql-plpython-8.1.8-0.1.20060mlcs4.x86_64.rpm
 bdc3c99b92b9273c5498e884b0a8cb89  corporate/4.0/x86_64/postgresql-pltcl-8.1.8-0.1.20060mlcs4.x86_64.rpm
 5a4a8a94afe80e38cc625f1a6e8ef8a0  corporate/4.0/x86_64/postgresql-server-8.1.8-0.1.20060mlcs4.x86_64.rpm
 2fe0e23d6f77d5761ed5feca78cb8868  corporate/4.0/x86_64/postgresql-test-8.1.8-0.1.20060mlcs4.x86_64.rpm 
 ecec0536648eedafd8d14c05f530a713  corporate/4.0/SRPMS/postgresql-8.1.8-0.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFy5ofmqjQ0CJFipgRAoKeAKC0N2+uxlJ8K+yE8qL+XSeV6Fiz0QCeNE67
UlyPuxevAwtcvuPu11Mn70c=
=SlEu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDKSA-2007:037-1 ] - Updated postgresql packages address multiple vulnerabilities security (Feb 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault