[gentoo-announce] [ GLSA 201209-24 ] PostgreSQL: Multiple vulnerabilities - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201209-24 ] PostgreSQL: Multiple vulnerabilities
Date:	Fri, 28 Sep 2012 12:09:56
Message-Id:	`506591A8.5080404@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201209-24

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: PostgreSQL: Multiple vulnerabilities

9

     Date: September 28, 2012

10

     Bugs: #406037, #419727, #431766

11

       ID: 201209-24

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in PostgreSQL which may allow

19

a remote attacker to conduct several attacks.

20

21

Background

22

==========

23

24

PostgreSQL is an open source object-relational database management

25

system.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-db/postgresql-server

34

                                  < 9.1.5                  *>= 8.3.20

35

                                                           *>= 8.4.13

36

                                                            *>= 9.0.9

37

                                                             >= 9.1.5

38

39

Description

40

===========

41

42

Multiple vulnerabilities have been discovered in PostgreSQL. Please

43

review the CVE identifiers referenced below for details.

44

45

Impact

46

======

47

48

A remote attacker could spoof SSL connections. Furthermore, a remote

49

authenticated attacker could cause a Denial of Service, read and write

50

arbitrary files, inject SQL commands into dump scripts, or bypass

51

database restrictions to execute database functions.

52

53

A context-dependent attacker could more easily obtain access via

54

authentication attempts with an initial substring of the intended

55

password.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All PostgreSQL 9.1 server users should upgrade to the latest version:

66

67

  # emerge --sync

68

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.1.5"

69

70

All PostgreSQL 9.0 server users should upgrade to the latest version:

71

72

  # emerge --sync

73

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.0.9"

74

75

All PostgreSQL 8.4 server users should upgrade to the latest version:

76

77

  # emerge --sync

78

  # emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.4.13"

79

80

All PostgreSQL 8.3 server users should upgrade to the latest version:

81

82

  # emerge --sync

83

  # emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.3.20"

84

85

References

86

==========

87

88

[ 1 ] CVE-2012-0866

89

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0866

90

[ 2 ] CVE-2012-0867

91

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0867

92

[ 3 ] CVE-2012-0868

93

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0868

94

[ 4 ] CVE-2012-2143

95

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143

96

[ 5 ] CVE-2012-2655

97

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2655

98

[ 6 ] CVE-2012-3488

99

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3488

100

[ 7 ] CVE-2012-3489

101

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3489

102

103

Availability

104

============

105

106

This GLSA and any updates to it are available for viewing at

107

the Gentoo Security Website:

108

109

 http://security.gentoo.org/glsa/glsa-201209-24.xml

110

111

Concerns?

112

=========

113

114

Security is a primary focus of Gentoo Linux and ensuring the

115

confidentiality and security of our users' machines is of utmost

116

importance to us. Any security concerns should be addressed to

117

security@g.o or alternatively, you may file a bug at

118

https://bugs.gentoo.org.

119

120

License

121

=======

122

123

Copyright 2012 Gentoo Foundation, Inc; referenced text

124

belongs to its owner(s).

125

126

The contents of this document are licensed under the

127

Creative Commons - Attribution / Share Alike license.

128

129

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201209-24
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PostgreSQL: Multiple vulnerabilities
9	Date: September 28, 2012
10	Bugs: #406037, #419727, #431766
11	ID: 201209-24
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in PostgreSQL which may allow
19	a remote attacker to conduct several attacks.
20
21	Background
22	==========
23
24	PostgreSQL is an open source object-relational database management
25	system.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-db/postgresql-server
34	< 9.1.5 *>= 8.3.20
35	*>= 8.4.13
36	*>= 9.0.9
37	>= 9.1.5
38
39	Description
40	===========
41
42	Multiple vulnerabilities have been discovered in PostgreSQL. Please
43	review the CVE identifiers referenced below for details.
44
45	Impact
46	======
47
48	A remote attacker could spoof SSL connections. Furthermore, a remote
49	authenticated attacker could cause a Denial of Service, read and write
50	arbitrary files, inject SQL commands into dump scripts, or bypass
51	database restrictions to execute database functions.
52
53	A context-dependent attacker could more easily obtain access via
54	authentication attempts with an initial substring of the intended
55	password.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All PostgreSQL 9.1 server users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.1.5"
69
70	All PostgreSQL 9.0 server users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.0.9"
74
75	All PostgreSQL 8.4 server users should upgrade to the latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.4.13"
79
80	All PostgreSQL 8.3 server users should upgrade to the latest version:
81
82	# emerge --sync
83	# emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.3.20"
84
85	References
86	==========
87
88	[ 1 ] CVE-2012-0866
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0866
90	[ 2 ] CVE-2012-0867
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0867
92	[ 3 ] CVE-2012-0868
93	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0868
94	[ 4 ] CVE-2012-2143
95	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143
96	[ 5 ] CVE-2012-2655
97	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2655
98	[ 6 ] CVE-2012-3488
99	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3488
100	[ 7 ] CVE-2012-3489
101	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3489
102
103	Availability
104	============
105
106	This GLSA and any updates to it are available for viewing at
107	the Gentoo Security Website:
108
109	http://security.gentoo.org/glsa/glsa-201209-24.xml
110
111	Concerns?
112	=========
113
114	Security is a primary focus of Gentoo Linux and ensuring the
115	confidentiality and security of our users' machines is of utmost
116	importance to us. Any security concerns should be addressed to
117	security@g.o or alternatively, you may file a bug at
118	https://bugs.gentoo.org.
119
120	License
121	=======
122
123	Copyright 2012 Gentoo Foundation, Inc; referenced text
124	belongs to its owner(s).
125
126	The contents of this document are licensed under the
127	Creative Commons - Attribution / Share Alike license.
128
129	http://creativecommons.org/licenses/by-sa/2.5