Otkrivene su tri sigurnosne ranjivosti u radu programskog paketa PostgreSQL. Udaljeni ih napadač može iskoristiti za zaobilaženje postavljenih ograničenja, lažiranje certifikata i izmjenu podataka.
Paket:
PostgreSQL 8.x, PostgreSQL 9.x
Operacijski sustavi:
Mandriva Linux 2010.1, Mandriva Linux 2011
Kritičnost:
5
Problem:
neodgovarajuća provjera ulaznih podataka, pogreška u programskoj komponenti
Ranjivosti su vezane uz naredbu CREATE TRIGGER, pogrešku u provjeri imena host računala u SSL certifikatima te neodgovarajuće provjere ulaznih podataka u alatu "pg_dump ".
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:026
http://www.mandriva.com/security/
_______________________________________________________________________
Package : postgresql
Date : February 29, 2012
Affected: 2010.1, 2011.
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in
postgresql:
Permissions on a function called by a trigger are not properly checked
(CVE-2012-0866).
SSL certificate name checks are truncated to 32 characters, allowing
connection spoofing under some circumstances when using third party
certificate authorities (CVE-2012-0867).
Line breaks in object names can be exploited to execute arbitrary
SQL when reloading a pg_dump file (CVE-2012-0868).
This advisory provides the latest versions of PostgreSQL that is not
vulnerable to these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0868
http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
05a4013a0634df4e8cdf169a50c9ec58
2010.1/i586/libecpg8.4_6-8.4.11-0.1mdv2010.2.i586.rpm
401a0d6d8a713613bda5333ab2932e8e
2010.1/i586/libpq8.4_5-8.4.11-0.1mdv2010.2.i586.rpm
325fc7f1e8d9753e77ea94cb36a7d702
2010.1/i586/postgresql8.4-8.4.11-0.1mdv2010.2.i586.rpm
11f758553ba01d0c7cf14822b964d244
2010.1/i586/postgresql8.4-contrib-8.4.11-0.1mdv2010.2.i586.rpm
a8511d0f4e723eeb69e34338b2a44f6e
2010.1/i586/postgresql8.4-devel-8.4.11-0.1mdv2010.2.i586.rpm
491480de895c21045ce61782b31686f4
2010.1/i586/postgresql8.4-docs-8.4.11-0.1mdv2010.2.i586.rpm
43a92413b230b92fc8fe366f8b77b252
2010.1/i586/postgresql8.4-pl-8.4.11-0.1mdv2010.2.i586.rpm
c68d94e1ccf0fc291a77976280c7a5b1
2010.1/i586/postgresql8.4-plperl-8.4.11-0.1mdv2010.2.i586.rpm
b176c3f91b3b3d0fd819db7aee7628a5
2010.1/i586/postgresql8.4-plpgsql-8.4.11-0.1mdv2010.2.i586.rpm
90b3f898d730ae27d8570f814c884361
2010.1/i586/postgresql8.4-plpython-8.4.11-0.1mdv2010.2.i586.rpm
fdb261871120d1099872528990ac4ecb
2010.1/i586/postgresql8.4-pltcl-8.4.11-0.1mdv2010.2.i586.rpm
2bd80e158701b25d2f3191bd536a1680
2010.1/i586/postgresql8.4-server-8.4.11-0.1mdv2010.2.i586.rpm
a1c05f1b89438e41b8dad632395f6e76
2010.1/SRPMS/postgresql8.4-8.4.11-0.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
8d00eac057a75900287ff76011d24a14
2010.1/x86_64/lib64ecpg8.4_6-8.4.11-0.1mdv2010.2.x86_64.rpm
63d87909037917014ace4068c2fdf4ed
2010.1/x86_64/lib64pq8.4_5-8.4.11-0.1mdv2010.2.x86_64.rpm
b5e17b5ef713a8626034384f9b11f537
2010.1/x86_64/postgresql8.4-8.4.11-0.1mdv2010.2.x86_64.rpm
377dc92be27f45e9a6205c6572a53a68
2010.1/x86_64/postgresql8.4-contrib-8.4.11-0.1mdv2010.2.x86_64.rpm
4cc7fa9fb0f099b3f909f74810b3fcb6
2010.1/x86_64/postgresql8.4-devel-8.4.11-0.1mdv2010.2.x86_64.rpm
cfdc1cb65acc9764caee7537aa54de0f
2010.1/x86_64/postgresql8.4-docs-8.4.11-0.1mdv2010.2.x86_64.rpm
ee278d87463be450d3cb8359d4f436df
2010.1/x86_64/postgresql8.4-pl-8.4.11-0.1mdv2010.2.x86_64.rpm
c6ab8ff58b96bcb93f36d95aaaebd042
2010.1/x86_64/postgresql8.4-plperl-8.4.11-0.1mdv2010.2.x86_64.rpm
c203e3403876f4b2e6985686d59c2f51
2010.1/x86_64/postgresql8.4-plpgsql-8.4.11-0.1mdv2010.2.x86_64.rpm
4ecfd5289218e1aa46786e698b0b1da1
2010.1/x86_64/postgresql8.4-plpython-8.4.11-0.1mdv2010.2.x86_64.rpm
a0b4adfe98a1165eec3810d1a770d79d
2010.1/x86_64/postgresql8.4-pltcl-8.4.11-0.1mdv2010.2.x86_64.rpm
6ebfada38479a846055c095604d3d45d
2010.1/x86_64/postgresql8.4-server-8.4.11-0.1mdv2010.2.x86_64.rpm
a1c05f1b89438e41b8dad632395f6e76
2010.1/SRPMS/postgresql8.4-8.4.11-0.1mdv2010.2.src.rpm
Mandriva Linux 2011:
25a1dd4d27d6bdc7289251ecb52f42d9
2011/i586/libecpg9.0_6-9.0.7-0.1-mdv2011.0.i586.rpm
4da4a70b065506d61eb0b3fae7e9a564
2011/i586/libpq9.0_5-9.0.7-0.1-mdv2011.0.i586.rpm
62aa0b5091ed185fbab1030acb7ba350
2011/i586/postgresql9.0-9.0.7-0.1-mdv2011.0.i586.rpm
a0c7f18e7d3c5946431fd2244dad900c
2011/i586/postgresql9.0-contrib-9.0.7-0.1-mdv2011.0.i586.rpm
858281c6438468c5c5ce9f3ed187ad35
2011/i586/postgresql9.0-devel-9.0.7-0.1-mdv2011.0.i586.rpm
5c5a07c75d046bf7a56561ec8f670916
2011/i586/postgresql9.0-docs-9.0.7-0.1-mdv2011.0.i586.rpm
99ed62f4866b74bb62372753568e1dca
2011/i586/postgresql9.0-pl-9.0.7-0.1-mdv2011.0.i586.rpm
2837096731c5b7f0d96e207190200b28
2011/i586/postgresql9.0-plperl-9.0.7-0.1-mdv2011.0.i586.rpm
121eb7ed014abdc70b3a9483cc228f2b
2011/i586/postgresql9.0-plpgsql-9.0.7-0.1-mdv2011.0.i586.rpm
c8a81e4d97a70bcea2673cae904c2d7d
2011/i586/postgresql9.0-plpython-9.0.7-0.1-mdv2011.0.i586.rpm
1c350ae5ab7f3d5dabce891d297acda0
2011/i586/postgresql9.0-pltcl-9.0.7-0.1-mdv2011.0.i586.rpm
ac89dd8500774df0e49626e63741429c
2011/i586/postgresql9.0-server-9.0.7-0.1-mdv2011.0.i586.rpm
2723eb57e9056fb5e3f76e2519b4fec7 2011/SRPMS/postgresql9.0-9.0.7-0.1.src.rpm
Mandriva Linux 2011/X86_64:
f6db63374053e409b305353151accd67
2011/x86_64/lib64ecpg9.0_6-9.0.7-0.1-mdv2011.0.x86_64.rpm
96370fd95fc2c3bdbe3a9a6ae648db8b
2011/x86_64/lib64pq9.0_5-9.0.7-0.1-mdv2011.0.x86_64.rpm
54380c9f81620f0a97733d1fa92667d5
2011/x86_64/postgresql9.0-9.0.7-0.1-mdv2011.0.x86_64.rpm
6c6b399ade5b4afd6a2539c27a9a8af1
2011/x86_64/postgresql9.0-contrib-9.0.7-0.1-mdv2011.0.x86_64.rpm
4eefae96bc5377d4032ddd61358f90b1
2011/x86_64/postgresql9.0-devel-9.0.7-0.1-mdv2011.0.x86_64.rpm
baa973ebb01ff2fa9255ad434cd8e309
2011/x86_64/postgresql9.0-docs-9.0.7-0.1-mdv2011.0.x86_64.rpm
5d3fcd9cf5f10032ffeb7278c9474b0f
2011/x86_64/postgresql9.0-pl-9.0.7-0.1-mdv2011.0.x86_64.rpm
4d56f0d01bfb7c5b62928ea2c78a2391
2011/x86_64/postgresql9.0-plperl-9.0.7-0.1-mdv2011.0.x86_64.rpm
2afb5526fb9eded60c8fca205de1d037
2011/x86_64/postgresql9.0-plpgsql-9.0.7-0.1-mdv2011.0.x86_64.rpm
378f8a4c4f1a8ac291d05d8d00d94e65
2011/x86_64/postgresql9.0-plpython-9.0.7-0.1-mdv2011.0.x86_64.rpm
e414f67368a7b600d491b753bde5a96a
2011/x86_64/postgresql9.0-pltcl-9.0.7-0.1-mdv2011.0.x86_64.rpm
3480e6f3303c4bd2f275afe0017a454d
2011/x86_64/postgresql9.0-server-9.0.7-0.1-mdv2011.0.x86_64.rpm
2723eb57e9056fb5e3f76e2519b4fec7 2011/SRPMS/postgresql9.0-9.0.7-0.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPThgZmqjQ0CJFipgRAsbQAJ9gVWSHEr8OFkGbkxTWnLLCuK7HnwCgxnas
bW8T0eHla0+VDyo5ZcKe2Ck=
=5uc+
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke