Mandriva Linux Security Advisory 2015-048 - Multiple vulnerabilities has been discovered and corrected in Stephen Frost discovered that PostgreSQL incorrectly displayed certain values in error messages. An authenticated user could gain access to seeing certain values, contrary to expected permissions. Andres Freund, Peter Geoghegan and Noah Misch discovered that PostgreSQL incorrectly handled buffers in to_char functions. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that PostgreSQL incorrectly handled memory in the pgcrypto extension. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. Emil Lenngren discovered that PostgreSQL incorrectly handled extended protocol message reading. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly inject query messages. This advisory provides the latest version of PostgreSQL that is not vulnerable to these issues.
634d97dbd89e3a11f0f04718cbf5534aac49ac2bfae32de2e27000b2b448d65e-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:048
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : postgresql
Date : February 12, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in
postgresql:
Stephen Frost discovered that PostgreSQL incorrectly displayed
certain values in error messages. An authenticated user could gain
access to seeing certain values, contrary to expected permissions
(CVE-2014-8161).
Andres Freund, Peter Geoghegan and Noah Misch discovered that
PostgreSQL incorrectly handled buffers in to_char functions. An
authenticated attacker could possibly use this issue to cause
PostgreSQL to crash, resulting in a denial of service, or possibly
execute arbitrary code (CVE-2015-0241).
It was discovered that PostgreSQL incorrectly handled memory in the
pgcrypto extension. An authenticated attacker could possibly use this
issue to cause PostgreSQL to crash, resulting in a denial of service,
or possibly execute arbitrary code (CVE-2015-0243).
Emil Lenngren discovered that PostgreSQL incorrectly handled extended
protocol message reading. An authenticated attacker could possibly
use this issue to cause PostgreSQL to crash, resulting in a denial
of service, or possibly inject query messages (CVE-2015-0244).
This advisory provides the latest version of PostgreSQL that is not
vulnerable to these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244
http://www.postgresql.org/docs/9.2/static/release-9-2-10.html
http://www.ubuntu.com/usn/usn-2499-1/
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
c7247e9bed1b4546e0ad8b4642a0c4d6 mbs1/x86_64/lib64ecpg9.2_6-9.2.10-1.mbs1.x86_64.rpm
e201099de82f9e8e506a218bbce83008 mbs1/x86_64/lib64pq9.2_5-9.2.10-1.mbs1.x86_64.rpm
9c4a352c4efe8229f86d86c9dfe4ca7e mbs1/x86_64/postgresql9.2-9.2.10-1.mbs1.x86_64.rpm
ea0dba2757d027a313123de9b9838107 mbs1/x86_64/postgresql9.2-contrib-9.2.10-1.mbs1.x86_64.rpm
41eed84aa37c1b7f7fe04d4847c9353e mbs1/x86_64/postgresql9.2-devel-9.2.10-1.mbs1.x86_64.rpm
1b75d6c7118b01399e5967a19aa4ecd4 mbs1/x86_64/postgresql9.2-docs-9.2.10-1.mbs1.noarch.rpm
571d8991f01cc05e5e9163bf5d7e2983 mbs1/x86_64/postgresql9.2-pl-9.2.10-1.mbs1.x86_64.rpm
1d4e7e9458ae38e364550e1e81f1680b mbs1/x86_64/postgresql9.2-plperl-9.2.10-1.mbs1.x86_64.rpm
c106d7f63f3f83dd797f1fcec7101b7b mbs1/x86_64/postgresql9.2-plpgsql-9.2.10-1.mbs1.x86_64.rpm
3abb3d109b12229f89e1ae2a8f867e4f mbs1/x86_64/postgresql9.2-plpython-9.2.10-1.mbs1.x86_64.rpm
22fa1beffab4ca2180f6aa3506f40dc4 mbs1/x86_64/postgresql9.2-pltcl-9.2.10-1.mbs1.x86_64.rpm
4bd0ab5189b93ac542b2eda0bd9f3b45 mbs1/x86_64/postgresql9.2-server-9.2.10-1.mbs1.x86_64.rpm
00c3b26e5a4567cae6d40caf499836ca mbs1/SRPMS/postgresql9.2-9.2.10-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFU3IqamqjQ0CJFipgRAvITAKDtjC7P+blOE8qdL7HTGKv8h3OaNgCgyies
gblH0pTGn3CX7dPhdYMqcl4=
=QXzy
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed