the original cloud security

Mandriva Linux Security Advisory 2009-251

Mandriva Linux Security Advisory 2009-251
Posted Dec 8, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-251 - The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service (backend shutdown) by re-LOAD-ing libraries from a certain plugins directory. The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, this is due to an incomplete fix for CVE-2007-6600. The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password. This update provides a fix for this vulnerability. Packages for 2008.0 are being provided due to extended support for Corporate products.

tags | advisory, remote, denial of service
systems | linux, mandriva
advisories | CVE-2009-3229, CVE-2009-3230, CVE-2009-3231
MD5 | f6344eb3c45a8ef97269aed5373d33d5

Mandriva Linux Security Advisory 2009-251

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:251-1
http://www.mandriva.com/security/
_______________________________________________________________________

Package : postgresql8.2
Date : December 8, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to
cause a denial of service (backend shutdown) by re-LOAD-ing libraries
from a certain plugins directory (CVE-2009-3229).

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22,
and 7.4 before 7.4.26 does not use the appropriate privileges for
the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations,
which allows remote authenticated users to gain privileges. NOTE:
this is due to an incomplete fix for CVE-2007-6600 (CVE-2009-3230).

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2
before 8.2.14, when using LDAP authentication with anonymous binds,
allows remote attackers to bypass authentication via an empty password
(CVE-2009-3231).

This update provides a fix for this vulnerability.

Update:

Packages for 2008.0 are being provided due to extended support for
Corporate products.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
d292fa6350134d4a694766f78e9b4325 2008.0/i586/libecpg5-8.2.14-0.1mdv2008.0.i586.rpm
0daf74246739a4ddde59c86d929b2372 2008.0/i586/libecpg-devel-8.2.14-0.1mdv2008.0.i586.rpm
784dff4bcff24e719808e862dd5be24e 2008.0/i586/libpq5-8.2.14-0.1mdv2008.0.i586.rpm
6ebbd221cb3f81c2501d60cda66b1ea6 2008.0/i586/libpq-devel-8.2.14-0.1mdv2008.0.i586.rpm
1f41610e32d2aae4f1456e7263c4fb80 2008.0/i586/postgresql-8.2.14-0.1mdv2008.0.i586.rpm
ac8ae125c1db24b5748c5ddef09167a4 2008.0/i586/postgresql8.2-8.2.14-0.1mdv2008.0.i586.rpm
822cbba00ba28bc79d82a9431fe77c48 2008.0/i586/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.i586.rpm
40d417845c085bf33862ff9584d34c9c 2008.0/i586/postgresql8.2-devel-8.2.14-0.1mdv2008.0.i586.rpm
77a9c18eb2439dbe49d61013275fe63e 2008.0/i586/postgresql8.2-docs-8.2.14-0.1mdv2008.0.i586.rpm
db8898ab10b6bad951c8513489856866 2008.0/i586/postgresql8.2-pl-8.2.14-0.1mdv2008.0.i586.rpm
94a96e92ea757b4f694601a53fe59a00 2008.0/i586/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.i586.rpm
92e0adc727b6ac0af5b11fd6444ccd51 2008.0/i586/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.i586.rpm
aa8c2ac2de6f42d975596c93a92b54c7 2008.0/i586/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.i586.rpm
1b7ea7658c8326573a61bd8aafce82e6 2008.0/i586/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.i586.rpm
d6d5489c5c953b08e55ece1f11068276 2008.0/i586/postgresql8.2-server-8.2.14-0.1mdv2008.0.i586.rpm
c6dbc8d2bd9e89daf50df8c53306c552 2008.0/i586/postgresql8.2-test-8.2.14-0.1mdv2008.0.i586.rpm
9e2d3a8100029961f2d48631b69e389b 2008.0/i586/postgresql-devel-8.2.14-0.1mdv2008.0.i586.rpm
169fe8a23affe4f6c32e503655e628ec 2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
3617079ee527bd87a16d2bfdf1a525f4 2008.0/x86_64/lib64ecpg5-8.2.14-0.1mdv2008.0.x86_64.rpm
8f3868b40025a5d2ccaf6adfaba893c5 2008.0/x86_64/lib64ecpg-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
85acc8c26019a0d0c64e5ce9a3eda592 2008.0/x86_64/lib64pq5-8.2.14-0.1mdv2008.0.x86_64.rpm
377613037ed6ded2ce9ca0007c923021 2008.0/x86_64/lib64pq-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
c027b9b132e0a656fa4a71b0bc9fde09 2008.0/x86_64/postgresql-8.2.14-0.1mdv2008.0.x86_64.rpm
bc47a41f53cd99caad122d273984b867 2008.0/x86_64/postgresql8.2-8.2.14-0.1mdv2008.0.x86_64.rpm
3121292bc31043d7dcb3741569287e3a 2008.0/x86_64/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.x86_64.rpm
0a90bd386286aab79ee109cb1a939ed9 2008.0/x86_64/postgresql8.2-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
c6a926f25f2829b5600269f4389db041 2008.0/x86_64/postgresql8.2-docs-8.2.14-0.1mdv2008.0.x86_64.rpm
7793e59a09073e79e694019dd8c52d94 2008.0/x86_64/postgresql8.2-pl-8.2.14-0.1mdv2008.0.x86_64.rpm
a4b52cfd8044f8539af51ed9b437c224 2008.0/x86_64/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.x86_64.rpm
b93075904d8a93824b9d9399764e5cd6 2008.0/x86_64/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.x86_64.rpm
ed1710b7151eaabdf5b3a50821a36a69 2008.0/x86_64/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.x86_64.rpm
177f45106d6d4c37589adfb530a58952 2008.0/x86_64/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.x86_64.rpm
643e2a7589151441ba1ed6e77b503654 2008.0/x86_64/postgresql8.2-server-8.2.14-0.1mdv2008.0.x86_64.rpm
cae199802e9634b3a4df94a8f7222376 2008.0/x86_64/postgresql8.2-test-8.2.14-0.1mdv2008.0.x86_64.rpm
436e154d88a7ba97575b9614506f9fee 2008.0/x86_64/postgresql-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
169fe8a23affe4f6c32e503655e628ec 2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLHj5GmqjQ0CJFipgRAuYZAKDWgA8C/TBq4QdnflpEz1wOhfdb8QCg3GpO
aNp5EUBLnzsVel0r71Hxfsw=
=LQGp
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    2 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close