Mandriva Linux Security Advisory 2009-251 - The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service (backend shutdown) by re-LOAD-ing libraries from a certain plugins directory. The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, this is due to an incomplete fix for CVE-2007-6600. The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password. This update provides a fix for this vulnerability. Packages for 2008.0 are being provided due to extended support for Corporate products.
a45ef8112169e7fb31a87a4ebc4edd094bd03e9093cb00211a57a047c6f18154
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:251-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : postgresql8.2
Date : December 8, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to
cause a denial of service (backend shutdown) by re-LOAD-ing libraries
from a certain plugins directory (CVE-2009-3229).
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22,
and 7.4 before 7.4.26 does not use the appropriate privileges for
the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations,
which allows remote authenticated users to gain privileges. NOTE:
this is due to an incomplete fix for CVE-2007-6600 (CVE-2009-3230).
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2
before 8.2.14, when using LDAP authentication with anonymous binds,
allows remote attackers to bypass authentication via an empty password
(CVE-2009-3231).
This update provides a fix for this vulnerability.
Update:
Packages for 2008.0 are being provided due to extended support for
Corporate products.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
d292fa6350134d4a694766f78e9b4325 2008.0/i586/libecpg5-8.2.14-0.1mdv2008.0.i586.rpm
0daf74246739a4ddde59c86d929b2372 2008.0/i586/libecpg-devel-8.2.14-0.1mdv2008.0.i586.rpm
784dff4bcff24e719808e862dd5be24e 2008.0/i586/libpq5-8.2.14-0.1mdv2008.0.i586.rpm
6ebbd221cb3f81c2501d60cda66b1ea6 2008.0/i586/libpq-devel-8.2.14-0.1mdv2008.0.i586.rpm
1f41610e32d2aae4f1456e7263c4fb80 2008.0/i586/postgresql-8.2.14-0.1mdv2008.0.i586.rpm
ac8ae125c1db24b5748c5ddef09167a4 2008.0/i586/postgresql8.2-8.2.14-0.1mdv2008.0.i586.rpm
822cbba00ba28bc79d82a9431fe77c48 2008.0/i586/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.i586.rpm
40d417845c085bf33862ff9584d34c9c 2008.0/i586/postgresql8.2-devel-8.2.14-0.1mdv2008.0.i586.rpm
77a9c18eb2439dbe49d61013275fe63e 2008.0/i586/postgresql8.2-docs-8.2.14-0.1mdv2008.0.i586.rpm
db8898ab10b6bad951c8513489856866 2008.0/i586/postgresql8.2-pl-8.2.14-0.1mdv2008.0.i586.rpm
94a96e92ea757b4f694601a53fe59a00 2008.0/i586/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.i586.rpm
92e0adc727b6ac0af5b11fd6444ccd51 2008.0/i586/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.i586.rpm
aa8c2ac2de6f42d975596c93a92b54c7 2008.0/i586/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.i586.rpm
1b7ea7658c8326573a61bd8aafce82e6 2008.0/i586/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.i586.rpm
d6d5489c5c953b08e55ece1f11068276 2008.0/i586/postgresql8.2-server-8.2.14-0.1mdv2008.0.i586.rpm
c6dbc8d2bd9e89daf50df8c53306c552 2008.0/i586/postgresql8.2-test-8.2.14-0.1mdv2008.0.i586.rpm
9e2d3a8100029961f2d48631b69e389b 2008.0/i586/postgresql-devel-8.2.14-0.1mdv2008.0.i586.rpm
169fe8a23affe4f6c32e503655e628ec 2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
3617079ee527bd87a16d2bfdf1a525f4 2008.0/x86_64/lib64ecpg5-8.2.14-0.1mdv2008.0.x86_64.rpm
8f3868b40025a5d2ccaf6adfaba893c5 2008.0/x86_64/lib64ecpg-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
85acc8c26019a0d0c64e5ce9a3eda592 2008.0/x86_64/lib64pq5-8.2.14-0.1mdv2008.0.x86_64.rpm
377613037ed6ded2ce9ca0007c923021 2008.0/x86_64/lib64pq-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
c027b9b132e0a656fa4a71b0bc9fde09 2008.0/x86_64/postgresql-8.2.14-0.1mdv2008.0.x86_64.rpm
bc47a41f53cd99caad122d273984b867 2008.0/x86_64/postgresql8.2-8.2.14-0.1mdv2008.0.x86_64.rpm
3121292bc31043d7dcb3741569287e3a 2008.0/x86_64/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.x86_64.rpm
0a90bd386286aab79ee109cb1a939ed9 2008.0/x86_64/postgresql8.2-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
c6a926f25f2829b5600269f4389db041 2008.0/x86_64/postgresql8.2-docs-8.2.14-0.1mdv2008.0.x86_64.rpm
7793e59a09073e79e694019dd8c52d94 2008.0/x86_64/postgresql8.2-pl-8.2.14-0.1mdv2008.0.x86_64.rpm
a4b52cfd8044f8539af51ed9b437c224 2008.0/x86_64/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.x86_64.rpm
b93075904d8a93824b9d9399764e5cd6 2008.0/x86_64/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.x86_64.rpm
ed1710b7151eaabdf5b3a50821a36a69 2008.0/x86_64/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.x86_64.rpm
177f45106d6d4c37589adfb530a58952 2008.0/x86_64/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.x86_64.rpm
643e2a7589151441ba1ed6e77b503654 2008.0/x86_64/postgresql8.2-server-8.2.14-0.1mdv2008.0.x86_64.rpm
cae199802e9634b3a4df94a8f7222376 2008.0/x86_64/postgresql8.2-test-8.2.14-0.1mdv2008.0.x86_64.rpm
436e154d88a7ba97575b9614506f9fee 2008.0/x86_64/postgresql-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
169fe8a23affe4f6c32e503655e628ec 2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLHj5GmqjQ0CJFipgRAuYZAKDWgA8C/TBq4QdnflpEz1wOhfdb8QCg3GpO
aNp5EUBLnzsVel0r71Hxfsw=
=LQGp
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed