Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201110-22 ] PostgreSQL: Multiple vulnerabilities
Date: Tue, 25 Oct 2011 07:55:39
Message-Id: 201110250950.34684.a3li@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201110-22
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: PostgreSQL: Multiple vulnerabilities
9 Date: October 25, 2011
10 Bugs: #261223, #284274, #297383, #308063, #313335, #320967,
11 #339935, #353387, #384539
12 ID: 201110-22
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities in the PostgreSQL server and client allow
20 remote attacker to conduct several attacks, including the execution of
21 arbitrary code and Denial of Service.
22
23 Background
24 ==========
25
26 PostgreSQL is an open source object-relational database management
27 system.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 dev-db/postgresql <= 9 Vulnerable!
36 2 dev-db/postgresql-server
37 < 9.0.5 *>= 8.2.22
38 *>= 8.4.9
39 *>= 8.3.16
40 >= 9.0.5
41 3 dev-db/postgresql-base < 9.0.5 *>= 8.2.22
42 *>= 8.4.9
43 *>= 8.3.16
44 >= 9.0.5
45 -------------------------------------------------------------------
46 NOTE: Certain packages are still vulnerable. Users should migrate
47 to another package if one is available or wait for the
48 existing packages to be marked stable by their
49 architecture maintainers.
50 -------------------------------------------------------------------
51 3 affected packages
52 -------------------------------------------------------------------
53
54 Description
55 ===========
56
57 Multiple vulnerabilities have been discovered in PostgreSQL. Please
58 review the CVE identifiers referenced below for details.
59
60 Impact
61 ======
62
63 A remote authenticated attacker could send a specially crafted SQL
64 query to a PostgreSQL server with the "intarray" module enabled,
65 possibly resulting in the execution of arbitrary code with the
66 privileges of the PostgreSQL server process, or a Denial of Service
67 condition. Furthermore, a remote authenticated attacker could execute
68 arbitrary Perl code, cause a Denial of Service condition via different
69 vectors, bypass LDAP authentication, bypass X.509 certificate
70 validation, gain database privileges, exploit weak blowfish encryption
71 and possibly cause other unspecified impact.
72
73 Workaround
74 ==========
75
76 There is no known workaround at this time.
77
78 Resolution
79 ==========
80
81 All PostgreSQL 8.2 users should upgrade to the latest 8.2 base version:
82
83 # emerge --sync
84 # emerge --ask --oneshot -v ">=dev-db/postgresql-base-8.2.22:8.2"
85
86 All PostgreSQL 8.3 users should upgrade to the latest 8.3 base version:
87
88 # emerge --sync
89 # emerge --ask --oneshot -v ">=dev-db/postgresql-base-8.3.16:8.3"
90
91 All PostgreSQL 8.4 users should upgrade to the latest 8.4 base version:
92
93 # emerge --sync
94 # emerge --ask --oneshot -v ">=dev-db/postgresql-base-8.4.9:8.4"
95
96 All PostgreSQL 9.0 users should upgrade to the latest 9.0 base version:
97
98 # emerge --sync
99 # emerge --ask --oneshot -v ">=dev-db/postgresql-base-9.0.5:9.0"
100
101 All PostgreSQL 8.2 server users should upgrade to the latest 8.2 server
102 version:
103
104 # emerge --sync
105 # emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.2.22:8.2"
106
107 All PostgreSQL 8.3 server users should upgrade to the latest 8.3 server
108 version:
109
110 # emerge --sync
111 # emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.3.16:8.3"
112
113 All PostgreSQL 8.4 server users should upgrade to the latest 8.4 server
114 version:
115
116 # emerge --sync
117 # emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.4.9:8.4"
118
119 All PostgreSQL 9.0 server users should upgrade to the latest 9.0 server
120 version:
121
122 # emerge --sync
123 # emerge --ask --oneshot -v ">=dev-db/postgresql-server-9.0.5:9.0"
124
125 The old unsplit PostgreSQL packages have been removed from portage.
126 Users still using them are urged to migrate to the new PostgreSQL
127 packages as stated above and to remove the old package:
128
129 # emerge --unmerge "dev-db/postgresql"
130
131 References
132 ==========
133
134 [ 1 ] CVE-2009-0922
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0922
136 [ 2 ] CVE-2009-3229
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3229
138 [ 3 ] CVE-2009-3230
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3230
140 [ 4 ] CVE-2009-3231
141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3231
142 [ 5 ] CVE-2009-4034
143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4034
144 [ 6 ] CVE-2009-4136
145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4136
146 [ 7 ] CVE-2010-0442
147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0442
148 [ 8 ] CVE-2010-0733
149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0733
150 [ 9 ] CVE-2010-1169
151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1169
152 [ 10 ] CVE-2010-1170
153 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1170
154 [ 11 ] CVE-2010-1447
155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1447
156 [ 12 ] CVE-2010-1975
157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1975
158 [ 13 ] CVE-2010-3433
159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3433
160 [ 14 ] CVE-2010-4015
161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4015
162 [ 15 ] CVE-2011-2483
163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483
164
165 Availability
166 ============
167
168 This GLSA and any updates to it are available for viewing at
169 the Gentoo Security Website:
170
171 http://security.gentoo.org/glsa/glsa-201110-22.xml
172
173 Concerns?
174 =========
175
176 Security is a primary focus of Gentoo Linux and ensuring the
177 confidentiality and security of our users' machines is of utmost
178 importance to us. Any security concerns should be addressed to
179 security@g.o or alternatively, you may file a bug at
180 https://bugs.gentoo.org.
181
182 License
183 =======
184
185 Copyright 2011 Gentoo Foundation, Inc; referenced text
186 belongs to its owner(s).
187
188 The contents of this document are licensed under the
189 Creative Commons - Attribution / Share Alike license.
190
191 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature