[Security Announce] [ MDKSA-2006:098 ] - Updated postgresql packages fixes SQL injection vulnerabilities.
Posted on: 06/07/2006 10:12 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:098
http://www.mandriva.com/security/
_______________________________________________________________________

Package : postgresql
Date : June 7, 2006
Affected: 10.2, 2006.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13,
7.3.x before 7.3.15, and earlier versions allows context-dependent
attackers to bypass SQL injection protection methods in applications
via invalid encodings of multibyte characters, aka one variant of
"Encoding-Based SQL Injection." (CVE-2006-2313)

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13,
7.3.x before 7.3.15, and earlier versions allows context-dependent
attackers to bypass SQL injection protection methods in applications
that use multibyte encodings that allow the "\\" (backslash) byte 0x5c to
be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK,
GB18030, and UHC, which cannot be handled correctly by a client that does
not understand multibyte encodings, aka a second variant of "Encoding-Based
SQL Injection." NOTE: it could be argued that this is a class of issue
related to interaction errors between the client and PostgreSQL, but a
CVE has been assigned since PostgreSQL is treating this as a preventative
measure against this class of problem. (CVE-2006-2314)

Packages have been patched or updated to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.2:
7d7748c7f83651e1a31e111d7da0ffc4 10.2/RPMS/libecpg5-8.0.8-0.1.102mdk.i586.rpm
4a0e6f957da380bdd548785a069df2fa 10.2/RPMS/libecpg5-devel-8.0.8-0.1.102mdk.i586.rpm
7b15c9cf319e0eb6c5160bd6ae2f094c 10.2/RPMS/libpq4-8.0.8-0.1.102mdk.i586.rpm
b4bc2a4cc570f460b583bedac744655e 10.2/RPMS/libpq4-devel-8.0.8-0.1.102mdk.i586.rpm
46f522cbf070062413a59783d185551e 10.2/RPMS/postgresql-8.0.8-0.1.102mdk.i586.rpm
cf6d3b66f83c08f9285f05929e44eac0 10.2/RPMS/postgresql-contrib-8.0.8-0.1.102mdk.i586.rpm
a213ae15b71714cc7471a475dff69dec 10.2/RPMS/postgresql-devel-8.0.8-0.1.102mdk.i586.rpm
a778d339105a4a51d9457cf80758d539 10.2/RPMS/postgresql-docs-8.0.8-0.1.102mdk.i586.rpm
c57042c163736aa50ca3f94acdb812b6 10.2/RPMS/postgresql-jdbc-8.0.8-0.1.102mdk.i586.rpm
0a3d055bff42d982a28c33c9785c7534 10.2/RPMS/postgresql-pl-8.0.8-0.1.102mdk.i586.rpm
c4ce05d84d96ea30f520e03052c2b9af 10.2/RPMS/postgresql-plperl-8.0.8-0.1.102mdk.i586.rpm
3fa919d2a099eb4df0b05150b7d9187c 10.2/RPMS/postgresql-plpgsql-8.0.8-0.1.102mdk.i586.rpm
557a6ecae7b745bb96117209b00f548c 10.2/RPMS/postgresql-plpython-8.0.8-0.1.102mdk.i586.rpm
dba76cc2c9e39a58924a1311ae0d2642 10.2/RPMS/postgresql-pltcl-8.0.8-0.1.102mdk.i586.rpm
7087b905bbc1c217dbb3442a6c028f0b 10.2/RPMS/postgresql-server-8.0.8-0.1.102mdk.i586.rpm
ff16fa0a010db99ce67994bc94b5536a 10.2/RPMS/postgresql-test-8.0.8-0.1.102mdk.i586.rpm
0806b379df8b7c9b955f0bd519cf213f 10.2/SRPMS/postgresql-8.0.8-0.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
5c49f14f6581d8be74619a342c3e2526 x86_64/10.2/RPMS/lib64ecpg5-8.0.8-0.1.102mdk.x86_64.rpm
913b509d69a4814d039d662f70af1a9f x86_64/10.2/RPMS/lib64ecpg5-devel-8.0.8-0.1.102mdk.x86_64.rpm
68939e3bea560c1152144adb9ec53c05 x86_64/10.2/RPMS/lib64pq4-8.0.8-0.1.102mdk.x86_64.rpm
5c5058a573ff735fbf55f66b36070525 x86_64/10.2/RPMS/lib64pq4-devel-8.0.8-0.1.102mdk.x86_64.rpm
870d11274b7e44c0a640254c66186e7d x86_64/10.2/RPMS/postgresql-8.0.8-0.1.102mdk.x86_64.rpm
c0b236b3758bc047c7cb89a1bf2e19cf x86_64/10.2/RPMS/postgresql-contrib-8.0.8-0.1.102mdk.x86_64.rpm
de72f56defe74e0e636b9f9f9a542dda x86_64/10.2/RPMS/postgresql-devel-8.0.8-0.1.102mdk.x86_64.rpm
2335bcdcae87d9210594d1c7e52b5719 x86_64/10.2/RPMS/postgresql-docs-8.0.8-0.1.102mdk.x86_64.rpm
d6db4aa274296935a3c52ac4250e097e x86_64/10.2/RPMS/postgresql-jdbc-8.0.8-0.1.102mdk.x86_64.rpm
7309113d835e1facf24f07600ea4e0bb x86_64/10.2/RPMS/postgresql-pl-8.0.8-0.1.102mdk.x86_64.rpm
b6c476b046c1a3c83252210f62b6fa7a x86_64/10.2/RPMS/postgresql-plperl-8.0.8-0.1.102mdk.x86_64.rpm
c79be6051bd388783c067c69cf9784e3 x86_64/10.2/RPMS/postgresql-plpgsql-8.0.8-0.1.102mdk.x86_64.rpm
33e9e0047ff25fe0b1d866bb1d2b9043 x86_64/10.2/RPMS/postgresql-plpython-8.0.8-0.1.102mdk.x86_64.rpm
13a7c2a73beea45caba038572fb77508 x86_64/10.2/RPMS/postgresql-pltcl-8.0.8-0.1.102mdk.x86_64.rpm
54f0c1c62319716d3d6d372162656c0e x86_64/10.2/RPMS/postgresql-server-8.0.8-0.1.102mdk.x86_64.rpm
8ed0ce1d8932b1d1b5e47300cf436ae5 x86_64/10.2/RPMS/postgresql-test-8.0.8-0.1.102mdk.x86_64.rpm
0806b379df8b7c9b955f0bd519cf213f x86_64/10.2/SRPMS/postgresql-8.0.8-0.1.102mdk.src.rpm

Mandriva Linux 2006.0:
2b9e406b4646a1ae6657b1bd0fafe0a3 2006.0/RPMS/libecpg5-8.0.8-0.1.20060mdk.i586.rpm
243ddb16f72e02221c2188b0d5b09594 2006.0/RPMS/libecpg5-devel-8.0.8-0.1.20060mdk.i586.rpm
10a9c8bce7c1361d2a9e1e213e628e2a 2006.0/RPMS/libpq4-8.0.8-0.1.20060mdk.i586.rpm
0ba3382f18b64288b1314fdf337c05ee 2006.0/RPMS/libpq4-devel-8.0.8-0.1.20060mdk.i586.rpm
13c88ef9b006a32ce6cccb5e6a20edcf 2006.0/RPMS/postgresql-8.0.8-0.1.20060mdk.i586.rpm
04c1e95d8a38ef41ab44d6fd1925cca3 2006.0/RPMS/postgresql-contrib-8.0.8-0.1.20060mdk.i586.rpm
e9af4ed2860766dea84f09e97f3238da 2006.0/RPMS/postgresql-devel-8.0.8-0.1.20060mdk.i586.rpm
adfdd91733e3aa04d86d25a40a101381 2006.0/RPMS/postgresql-docs-8.0.8-0.1.20060mdk.i586.rpm
b49599532eee6d806f644ca833e01217 2006.0/RPMS/postgresql-jdbc-8.0.8-0.1.20060mdk.i586.rpm
5ec0d9ce965a5cdad6456d628977c39b 2006.0/RPMS/postgresql-pl-8.0.8-0.1.20060mdk.i586.rpm
978c15526ba8a61fef212796ddc61463 2006.0/RPMS/postgresql-plperl-8.0.8-0.1.20060mdk.i586.rpm
91830da3acb37b022c4fbdb5836bf632 2006.0/RPMS/postgresql-plpgsql-8.0.8-0.1.20060mdk.i586.rpm
cc0f900c787437928f380e645d17d37c 2006.0/RPMS/postgresql-plpython-8.0.8-0.1.20060mdk.i586.rpm
3708cb949b4c8603960ed44c9b513df5 2006.0/RPMS/postgresql-pltcl-8.0.8-0.1.20060mdk.i586.rpm
696143a0a2883c8ced5437f21c5dbdf2 2006.0/RPMS/postgresql-server-8.0.8-0.1.20060mdk.i586.rpm
16d7bdc245d2ce5b1811222bf1c6e360 2006.0/RPMS/postgresql-test-8.0.8-0.1.20060mdk.i586.rpm
903a96aaa883cb62f0be8c0ba26d6b0c 2006.0/SRPMS/postgresql-8.0.8-0.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
3c6c8898c78e75eba130fa873f938535 x86_64/2006.0/RPMS/lib64ecpg5-8.0.8-0.1.20060mdk.x86_64.rpm
3e670208f7426f7269a861840e3f442b x86_64/2006.0/RPMS/lib64ecpg5-devel-8.0.8-0.1.20060mdk.x86_64.rpm
4b773b4fcc75c32827e0f0e0ecb77250 x86_64/2006.0/RPMS/lib64pq4-8.0.8-0.1.20060mdk.x86_64.rpm
ad28bfc29df3a742724ef29b0d1ba0fd x86_64/2006.0/RPMS/lib64pq4-devel-8.0.8-0.1.20060mdk.x86_64.rpm
538aa8c9317953b6484fd6a190f6d89c x86_64/2006.0/RPMS/postgresql-8.0.8-0.1.20060mdk.x86_64.rpm
c75a24e068fd9405ef942d9c081dcb4f x86_64/2006.0/RPMS/postgresql-contrib-8.0.8-0.1.20060mdk.x86_64.rpm
f7247dc49eb9693eaadb24aa317fd20d x86_64/2006.0/RPMS/postgresql-devel-8.0.8-0.1.20060mdk.x86_64.rpm
442188ad9654ce43eed5f4475bfcb38c x86_64/2006.0/RPMS/postgresql-docs-8.0.8-0.1.20060mdk.x86_64.rpm
936340667b8c25af2a3991361e53b83e x86_64/2006.0/RPMS/postgresql-jdbc-8.0.8-0.1.20060mdk.x86_64.rpm
e9d824016ecb58efffe335c6d26d7f18 x86_64/2006.0/RPMS/postgresql-pl-8.0.8-0.1.20060mdk.x86_64.rpm
ddb424def79f631061365d3cbe85ef09 x86_64/2006.0/RPMS/postgresql-plperl-8.0.8-0.1.20060mdk.x86_64.rpm
0b6426978856e248528b791652fe880c x86_64/2006.0/RPMS/postgresql-plpgsql-8.0.8-0.1.20060mdk.x86_64.rpm
99ef20d223d5ba314ff90eac22fa4d33 x86_64/2006.0/RPMS/postgresql-plpython-8.0.8-0.1.20060mdk.x86_64.rpm
fbce3702380d2ff8eb89e47e792142b0 x86_64/2006.0/RPMS/postgresql-pltcl-8.0.8-0.1.20060mdk.x86_64.rpm
9bceb314082b2800a710157cce5b80f9 x86_64/2006.0/RPMS/postgresql-server-8.0.8-0.1.20060mdk.x86_64.rpm
540a0e2cb80e4aada968f09633dbbcfc x86_64/2006.0/RPMS/postgresql-test-8.0.8-0.1.20060mdk.x86_64.rpm
903a96aaa883cb62f0be8c0ba26d6b0c x86_64/2006.0/SRPMS/postgresql-8.0.8-0.1.20060mdk.src.rpm

Corporate 3.0:
cd86a91e81c16b73b56e22795cc75ac1 corporate/3.0/RPMS/libecpg3-7.4.1-2.6.C30mdk.i586.rpm
81032809705e397ff92a36473cac3d46 corporate/3.0/RPMS/libecpg3-devel-7.4.1-2.6.C30mdk.i586.rpm
8ed7ddb1e22609f94619fb5ebf8f7a58 corporate/3.0/RPMS/libpgtcl2-7.4.1-2.6.C30mdk.i586.rpm
e1a85f2ebb03443f752e2ddd1c0b778d corporate/3.0/RPMS/libpgtcl2-devel-7.4.1-2.6.C30mdk.i586.rpm
b0ef1692772d939198d84cccdcfc30da corporate/3.0/RPMS/libpq3-7.4.1-2.6.C30mdk.i586.rpm
f076ba31f6a477b8be7a74f793293770 corporate/3.0/RPMS/libpq3-devel-7.4.1-2.6.C30mdk.i586.rpm
be6f85d3fd05ee59f482b90c00e79225 corporate/3.0/RPMS/postgresql-7.4.1-2.6.C30mdk.i586.rpm
f4f9b314a43f04c93ba6a456c46eec3f corporate/3.0/RPMS/postgresql-contrib-7.4.1-2.6.C30mdk.i586.rpm
cb0baf3e3b998127640e7c3573eda77b corporate/3.0/RPMS/postgresql-devel-7.4.1-2.6.C30mdk.i586.rpm
16fe11d7990e297e56ffb2f8e34eb3ff corporate/3.0/RPMS/postgresql-docs-7.4.1-2.6.C30mdk.i586.rpm
f6acadb8c1d3c3e78bb5a7d7e233b73b corporate/3.0/RPMS/postgresql-jdbc-7.4.1-2.6.C30mdk.i586.rpm
cd1088e858b39ac9c86865048e6e91dc corporate/3.0/RPMS/postgresql-pl-7.4.1-2.6.C30mdk.i586.rpm
2a2f6db2c65c6ec72a00cf22c77d25ed corporate/3.0/RPMS/postgresql-server-7.4.1-2.6.C30mdk.i586.rpm
e6dbad550a75cbdaafb882646094b18e corporate/3.0/RPMS/postgresql-tcl-7.4.1-2.6.C30mdk.i586.rpm
1d9bfb14ee7e32157364c02fdb5d39c8 corporate/3.0/RPMS/postgresql-test-7.4.1-2.6.C30mdk.i586.rpm
9e2f9744dbdd29fb5005585f8f0b9c08 corporate/3.0/SRPMS/postgresql-7.4.1-2.6.C30mdk.src.rpm

Corporate 3.0/X86_64:
d8ed626768c69eb97004d42d47322a4a x86_64/corporate/3.0/RPMS/lib64ecpg3-7.4.1-2.6.C30mdk.x86_64.rpm
19639e5f855af780586871e60365b8f1 x86_64/corporate/3.0/RPMS/lib64ecpg3-devel-7.4.1-2.6.C30mdk.x86_64.rpm
79163d1d52df819b3807445a28a4748f x86_64/corporate/3.0/RPMS/lib64pgtcl2-7.4.1-2.6.C30mdk.x86_64.rpm
b4356183d45cdb448e7e8c2195a419e6 x86_64/corporate/3.0/RPMS/lib64pgtcl2-devel-7.4.1-2.6.C30mdk.x86_64.rpm
04732f900babe887c77606063dfe78a0 x86_64/corporate/3.0/RPMS/lib64pq3-7.4.1-2.6.C30mdk.x86_64.rpm
a86004f195f5bd3d910b80bd2194b503 x86_64/corporate/3.0/RPMS/lib64pq3-devel-7.4.1-2.6.C30mdk.x86_64.rpm
da154afe1362c980ede81914ccf412be x86_64/corporate/3.0/RPMS/postgresql-7.4.1-2.6.C30mdk.x86_64.rpm
0517399d099bd7aa39c0000b5b7eaa73 x86_64/corporate/3.0/RPMS/postgresql-contrib-7.4.1-2.6.C30mdk.x86_64.rpm
094cd54dd316f12b0dc45710f5ec4e22 x86_64/corporate/3.0/RPMS/postgresql-devel-7.4.1-2.6.C30mdk.x86_64.rpm
98f90c8828ae548035cab3dc1a633aa6 x86_64/corporate/3.0/RPMS/postgresql-docs-7.4.1-2.6.C30mdk.x86_64.rpm
2434237858aec19e8e65a4c7b429df9c x86_64/corporate/3.0/RPMS/postgresql-jdbc-7.4.1-2.6.C30mdk.x86_64.rpm
4414a59d5929668161aa932ea6e74787 x86_64/corporate/3.0/RPMS/postgresql-pl-7.4.1-2.6.C30mdk.x86_64.rpm
202b10907a8c365fb9408ab31ec4b7f4 x86_64/corporate/3.0/RPMS/postgresql-server-7.4.1-2.6.C30mdk.x86_64.rpm
ef3f8cb2101ce12ef4a9d39dba3ef69d x86_64/corporate/3.0/RPMS/postgresql-tcl-7.4.1-2.6.C30mdk.x86_64.rpm
5f38e8842f16de0a78d297542f36381f x86_64/corporate/3.0/RPMS/postgresql-test-7.4.1-2.6.C30mdk.x86_64.rpm
9e2f9744dbdd29fb5005585f8f0b9c08 x86_64/corporate/3.0/SRPMS/postgresql-7.4.1-2.6.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEhwzEmqjQ0CJFipgRAlpPAKDtS/0zzX1FQ5TNZJiomg794t8PuACg5Sy/
MbetQ0f3hu2qISycixCUipE=
=t6wa
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006098__updated_postgresql_packages_fixes_sql_injection_vulnerabilities.html)