-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:048 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : postgresql Date : February 12, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in postgresql: Stephen Frost discovered that PostgreSQL incorrectly displayed certain values in error messages. An authenticated user could gain access to seeing certain values, contrary to expected permissions (CVE-2014-8161). Andres Freund, Peter Geoghegan and Noah Misch discovered that PostgreSQL incorrectly handled buffers in to_char functions. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0241). It was discovered that PostgreSQL incorrectly handled memory in the pgcrypto extension. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0243). Emil Lenngren discovered that PostgreSQL incorrectly handled extended protocol message reading. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly inject query messages (CVE-2015-0244). This advisory provides the latest version of PostgreSQL that is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244 http://www.postgresql.org/docs/9.2/static/release-9-2-10.html http://www.ubuntu.com/usn/usn-2499-1/ _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: c7247e9bed1b4546e0ad8b4642a0c4d6 mbs1/x86_64/lib64ecpg9.2_6-9.2.10-1.mbs1.x86_64.rpm e201099de82f9e8e506a218bbce83008 mbs1/x86_64/lib64pq9.2_5-9.2.10-1.mbs1.x86_64.rpm 9c4a352c4efe8229f86d86c9dfe4ca7e mbs1/x86_64/postgresql9.2-9.2.10-1.mbs1.x86_64.rpm ea0dba2757d027a313123de9b9838107 mbs1/x86_64/postgresql9.2-contrib-9.2.10-1.mbs1.x86_64.rpm 41eed84aa37c1b7f7fe04d4847c9353e mbs1/x86_64/postgresql9.2-devel-9.2.10-1.mbs1.x86_64.rpm 1b75d6c7118b01399e5967a19aa4ecd4 mbs1/x86_64/postgresql9.2-docs-9.2.10-1.mbs1.noarch.rpm 571d8991f01cc05e5e9163bf5d7e2983 mbs1/x86_64/postgresql9.2-pl-9.2.10-1.mbs1.x86_64.rpm 1d4e7e9458ae38e364550e1e81f1680b mbs1/x86_64/postgresql9.2-plperl-9.2.10-1.mbs1.x86_64.rpm c106d7f63f3f83dd797f1fcec7101b7b mbs1/x86_64/postgresql9.2-plpgsql-9.2.10-1.mbs1.x86_64.rpm 3abb3d109b12229f89e1ae2a8f867e4f mbs1/x86_64/postgresql9.2-plpython-9.2.10-1.mbs1.x86_64.rpm 22fa1beffab4ca2180f6aa3506f40dc4 mbs1/x86_64/postgresql9.2-pltcl-9.2.10-1.mbs1.x86_64.rpm 4bd0ab5189b93ac542b2eda0bd9f3b45 mbs1/x86_64/postgresql9.2-server-9.2.10-1.mbs1.x86_64.rpm 00c3b26e5a4567cae6d40caf499836ca mbs1/SRPMS/postgresql9.2-9.2.10-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFU3IqamqjQ0CJFipgRAvITAKDtjC7P+blOE8qdL7HTGKv8h3OaNgCgyies gblH0pTGn3CX7dPhdYMqcl4= =QXzy -----END PGP SIGNATURE-----