-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:251-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : postgresql8.2 Date : December 8, 2009 Affected: 2008.0 _______________________________________________________________________ Problem Description: The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service (backend shutdown) by re-LOAD-ing libraries from a certain plugins directory (CVE-2009-3229). The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600 (CVE-2009-3230). The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password (CVE-2009-3231). This update provides a fix for this vulnerability. Update: Packages for 2008.0 are being provided due to extended support for Corporate products. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: d292fa6350134d4a694766f78e9b4325 2008.0/i586/libecpg5-8.2.14-0.1mdv2008.0.i586.rpm 0daf74246739a4ddde59c86d929b2372 2008.0/i586/libecpg-devel-8.2.14-0.1mdv2008.0.i586.rpm 784dff4bcff24e719808e862dd5be24e 2008.0/i586/libpq5-8.2.14-0.1mdv2008.0.i586.rpm 6ebbd221cb3f81c2501d60cda66b1ea6 2008.0/i586/libpq-devel-8.2.14-0.1mdv2008.0.i586.rpm 1f41610e32d2aae4f1456e7263c4fb80 2008.0/i586/postgresql-8.2.14-0.1mdv2008.0.i586.rpm ac8ae125c1db24b5748c5ddef09167a4 2008.0/i586/postgresql8.2-8.2.14-0.1mdv2008.0.i586.rpm 822cbba00ba28bc79d82a9431fe77c48 2008.0/i586/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.i586.rpm 40d417845c085bf33862ff9584d34c9c 2008.0/i586/postgresql8.2-devel-8.2.14-0.1mdv2008.0.i586.rpm 77a9c18eb2439dbe49d61013275fe63e 2008.0/i586/postgresql8.2-docs-8.2.14-0.1mdv2008.0.i586.rpm db8898ab10b6bad951c8513489856866 2008.0/i586/postgresql8.2-pl-8.2.14-0.1mdv2008.0.i586.rpm 94a96e92ea757b4f694601a53fe59a00 2008.0/i586/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.i586.rpm 92e0adc727b6ac0af5b11fd6444ccd51 2008.0/i586/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.i586.rpm aa8c2ac2de6f42d975596c93a92b54c7 2008.0/i586/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.i586.rpm 1b7ea7658c8326573a61bd8aafce82e6 2008.0/i586/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.i586.rpm d6d5489c5c953b08e55ece1f11068276 2008.0/i586/postgresql8.2-server-8.2.14-0.1mdv2008.0.i586.rpm c6dbc8d2bd9e89daf50df8c53306c552 2008.0/i586/postgresql8.2-test-8.2.14-0.1mdv2008.0.i586.rpm 9e2d3a8100029961f2d48631b69e389b 2008.0/i586/postgresql-devel-8.2.14-0.1mdv2008.0.i586.rpm 169fe8a23affe4f6c32e503655e628ec 2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 3617079ee527bd87a16d2bfdf1a525f4 2008.0/x86_64/lib64ecpg5-8.2.14-0.1mdv2008.0.x86_64.rpm 8f3868b40025a5d2ccaf6adfaba893c5 2008.0/x86_64/lib64ecpg-devel-8.2.14-0.1mdv2008.0.x86_64.rpm 85acc8c26019a0d0c64e5ce9a3eda592 2008.0/x86_64/lib64pq5-8.2.14-0.1mdv2008.0.x86_64.rpm 377613037ed6ded2ce9ca0007c923021 2008.0/x86_64/lib64pq-devel-8.2.14-0.1mdv2008.0.x86_64.rpm c027b9b132e0a656fa4a71b0bc9fde09 2008.0/x86_64/postgresql-8.2.14-0.1mdv2008.0.x86_64.rpm bc47a41f53cd99caad122d273984b867 2008.0/x86_64/postgresql8.2-8.2.14-0.1mdv2008.0.x86_64.rpm 3121292bc31043d7dcb3741569287e3a 2008.0/x86_64/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.x86_64.rpm 0a90bd386286aab79ee109cb1a939ed9 2008.0/x86_64/postgresql8.2-devel-8.2.14-0.1mdv2008.0.x86_64.rpm c6a926f25f2829b5600269f4389db041 2008.0/x86_64/postgresql8.2-docs-8.2.14-0.1mdv2008.0.x86_64.rpm 7793e59a09073e79e694019dd8c52d94 2008.0/x86_64/postgresql8.2-pl-8.2.14-0.1mdv2008.0.x86_64.rpm a4b52cfd8044f8539af51ed9b437c224 2008.0/x86_64/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.x86_64.rpm b93075904d8a93824b9d9399764e5cd6 2008.0/x86_64/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.x86_64.rpm ed1710b7151eaabdf5b3a50821a36a69 2008.0/x86_64/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.x86_64.rpm 177f45106d6d4c37589adfb530a58952 2008.0/x86_64/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.x86_64.rpm 643e2a7589151441ba1ed6e77b503654 2008.0/x86_64/postgresql8.2-server-8.2.14-0.1mdv2008.0.x86_64.rpm cae199802e9634b3a4df94a8f7222376 2008.0/x86_64/postgresql8.2-test-8.2.14-0.1mdv2008.0.x86_64.rpm 436e154d88a7ba97575b9614506f9fee 2008.0/x86_64/postgresql-devel-8.2.14-0.1mdv2008.0.x86_64.rpm 169fe8a23affe4f6c32e503655e628ec 2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLHj5GmqjQ0CJFipgRAuYZAKDWgA8C/TBq4QdnflpEz1wOhfdb8QCg3GpO aNp5EUBLnzsVel0r71Hxfsw= =LQGp -----END PGP SIGNATURE-----