1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 201110-22 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: PostgreSQL: Multiple vulnerabilities |
9 |
Date: October 25, 2011 |
10 |
Bugs: #261223, #284274, #297383, #308063, #313335, #320967, |
11 |
#339935, #353387, #384539 |
12 |
ID: 201110-22 |
13 |
|
14 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
15 |
|
16 |
Synopsis |
17 |
======== |
18 |
|
19 |
Multiple vulnerabilities in the PostgreSQL server and client allow |
20 |
remote attacker to conduct several attacks, including the execution of |
21 |
arbitrary code and Denial of Service. |
22 |
|
23 |
Background |
24 |
========== |
25 |
|
26 |
PostgreSQL is an open source object-relational database management |
27 |
system. |
28 |
|
29 |
Affected packages |
30 |
================= |
31 |
|
32 |
------------------------------------------------------------------- |
33 |
Package / Vulnerable / Unaffected |
34 |
------------------------------------------------------------------- |
35 |
1 dev-db/postgresql <= 9 Vulnerable! |
36 |
2 dev-db/postgresql-server |
37 |
< 9.0.5 *>= 8.2.22 |
38 |
*>= 8.4.9 |
39 |
*>= 8.3.16 |
40 |
>= 9.0.5 |
41 |
3 dev-db/postgresql-base < 9.0.5 *>= 8.2.22 |
42 |
*>= 8.4.9 |
43 |
*>= 8.3.16 |
44 |
>= 9.0.5 |
45 |
------------------------------------------------------------------- |
46 |
NOTE: Certain packages are still vulnerable. Users should migrate |
47 |
to another package if one is available or wait for the |
48 |
existing packages to be marked stable by their |
49 |
architecture maintainers. |
50 |
------------------------------------------------------------------- |
51 |
3 affected packages |
52 |
------------------------------------------------------------------- |
53 |
|
54 |
Description |
55 |
=========== |
56 |
|
57 |
Multiple vulnerabilities have been discovered in PostgreSQL. Please |
58 |
review the CVE identifiers referenced below for details. |
59 |
|
60 |
Impact |
61 |
====== |
62 |
|
63 |
A remote authenticated attacker could send a specially crafted SQL |
64 |
query to a PostgreSQL server with the "intarray" module enabled, |
65 |
possibly resulting in the execution of arbitrary code with the |
66 |
privileges of the PostgreSQL server process, or a Denial of Service |
67 |
condition. Furthermore, a remote authenticated attacker could execute |
68 |
arbitrary Perl code, cause a Denial of Service condition via different |
69 |
vectors, bypass LDAP authentication, bypass X.509 certificate |
70 |
validation, gain database privileges, exploit weak blowfish encryption |
71 |
and possibly cause other unspecified impact. |
72 |
|
73 |
Workaround |
74 |
========== |
75 |
|
76 |
There is no known workaround at this time. |
77 |
|
78 |
Resolution |
79 |
========== |
80 |
|
81 |
All PostgreSQL 8.2 users should upgrade to the latest 8.2 base version: |
82 |
|
83 |
# emerge --sync |
84 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-base-8.2.22:8.2" |
85 |
|
86 |
All PostgreSQL 8.3 users should upgrade to the latest 8.3 base version: |
87 |
|
88 |
# emerge --sync |
89 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-base-8.3.16:8.3" |
90 |
|
91 |
All PostgreSQL 8.4 users should upgrade to the latest 8.4 base version: |
92 |
|
93 |
# emerge --sync |
94 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-base-8.4.9:8.4" |
95 |
|
96 |
All PostgreSQL 9.0 users should upgrade to the latest 9.0 base version: |
97 |
|
98 |
# emerge --sync |
99 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-base-9.0.5:9.0" |
100 |
|
101 |
All PostgreSQL 8.2 server users should upgrade to the latest 8.2 server |
102 |
version: |
103 |
|
104 |
# emerge --sync |
105 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.2.22:8.2" |
106 |
|
107 |
All PostgreSQL 8.3 server users should upgrade to the latest 8.3 server |
108 |
version: |
109 |
|
110 |
# emerge --sync |
111 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.3.16:8.3" |
112 |
|
113 |
All PostgreSQL 8.4 server users should upgrade to the latest 8.4 server |
114 |
version: |
115 |
|
116 |
# emerge --sync |
117 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.4.9:8.4" |
118 |
|
119 |
All PostgreSQL 9.0 server users should upgrade to the latest 9.0 server |
120 |
version: |
121 |
|
122 |
# emerge --sync |
123 |
# emerge --ask --oneshot -v ">=dev-db/postgresql-server-9.0.5:9.0" |
124 |
|
125 |
The old unsplit PostgreSQL packages have been removed from portage. |
126 |
Users still using them are urged to migrate to the new PostgreSQL |
127 |
packages as stated above and to remove the old package: |
128 |
|
129 |
# emerge --unmerge "dev-db/postgresql" |
130 |
|
131 |
References |
132 |
========== |
133 |
|
134 |
[ 1 ] CVE-2009-0922 |
135 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0922 |
136 |
[ 2 ] CVE-2009-3229 |
137 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3229 |
138 |
[ 3 ] CVE-2009-3230 |
139 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3230 |
140 |
[ 4 ] CVE-2009-3231 |
141 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3231 |
142 |
[ 5 ] CVE-2009-4034 |
143 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4034 |
144 |
[ 6 ] CVE-2009-4136 |
145 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4136 |
146 |
[ 7 ] CVE-2010-0442 |
147 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0442 |
148 |
[ 8 ] CVE-2010-0733 |
149 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0733 |
150 |
[ 9 ] CVE-2010-1169 |
151 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1169 |
152 |
[ 10 ] CVE-2010-1170 |
153 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1170 |
154 |
[ 11 ] CVE-2010-1447 |
155 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1447 |
156 |
[ 12 ] CVE-2010-1975 |
157 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1975 |
158 |
[ 13 ] CVE-2010-3433 |
159 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3433 |
160 |
[ 14 ] CVE-2010-4015 |
161 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4015 |
162 |
[ 15 ] CVE-2011-2483 |
163 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483 |
164 |
|
165 |
Availability |
166 |
============ |
167 |
|
168 |
This GLSA and any updates to it are available for viewing at |
169 |
the Gentoo Security Website: |
170 |
|
171 |
http://security.gentoo.org/glsa/glsa-201110-22.xml |
172 |
|
173 |
Concerns? |
174 |
========= |
175 |
|
176 |
Security is a primary focus of Gentoo Linux and ensuring the |
177 |
confidentiality and security of our users' machines is of utmost |
178 |
importance to us. Any security concerns should be addressed to |
179 |
security@g.o or alternatively, you may file a bug at |
180 |
https://bugs.gentoo.org. |
181 |
|
182 |
License |
183 |
======= |
184 |
|
185 |
Copyright 2011 Gentoo Foundation, Inc; referenced text |
186 |
belongs to its owner(s). |
187 |
|
188 |
The contents of this document are licensed under the |
189 |
Creative Commons - Attribution / Share Alike license. |
190 |
|
191 |
http://creativecommons.org/licenses/by-sa/2.5 |