[Security Announce] [ MDKSA-2007:037 ] - Updated postgresql packages address multiple vulnerabilities
Posted on: 02/07/2007 05:20 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:037
http://www.mandriva.com/security/
_______________________________________________________________________

Package : postgresql
Date : February 6, 2007
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

Jeff Trout discovered that the PostgreSQL server did not sufficiently
check data types of SQL function arguments in some cases. A user could
then exploit this to crash the database server or read out arbitrary
locations of the server's memory, which could be used to retrieve
database contents that the user should not be able to see. Note that a
user must be authenticated in order to exploit this (CVE-2007-0555).

As well, Jeff Trout also discovered that the query planner did not
verify that a table was still compatible with a previously-generated
query plan, which could be exploted to read out arbitrary locations of
the server's memory by using ALTER COLUMN TYPE during query execution.
Again, a user must be authenticated in order to exploit this
(CVE-2007-0556).

Updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
e60813d14a97195111e2f441c035c0a4 2006.0/i586/libecpg5-8.0.11-0.1.20060mdk.i586.rpm
98471eae4a56f506629b7b78858df05b 2006.0/i586/libecpg5-devel-8.0.11-0.1.20060mdk.i586.rpm
649d620612706f772506250aa074f105 2006.0/i586/libpq4-8.0.11-0.1.20060mdk.i586.rpm
33be3c14364154f423ef63d1bbef52ed 2006.0/i586/libpq4-devel-8.0.11-0.1.20060mdk.i586.rpm
4c9ed409c90110a0b22d6faf3a3c0fcd 2006.0/i586/postgresql-8.0.11-0.1.20060mdk.i586.rpm
072d1dc81f3a430c76b0a2e2c9f2b9bc 2006.0/i586/postgresql-contrib-8.0.11-0.1.20060mdk.i586.rpm
ecc54ed5ec7bdab8fdbfc19eff109703 2006.0/i586/postgresql-devel-8.0.11-0.1.20060mdk.i586.rpm
c46c90969f5322c37ecb58fce0aadaac 2006.0/i586/postgresql-docs-8.0.11-0.1.20060mdk.i586.rpm
e788e7e5036e49ff126ef0dd1264f72c 2006.0/i586/postgresql-jdbc-8.0.11-0.1.20060mdk.i586.rpm
da908fc8bea59bdab1ec5bd75bc71aa3 2006.0/i586/postgresql-pl-8.0.11-0.1.20060mdk.i586.rpm
3689716149fd60406f71ce6371c4994a 2006.0/i586/postgresql-plperl-8.0.11-0.1.20060mdk.i586.rpm
cd28d3b208ad2fd90ccb0ee7b26acd73 2006.0/i586/postgresql-plpgsql-8.0.11-0.1.20060mdk.i586.rpm
85fe6864b2ab743023a0b3f9ef055dba 2006.0/i586/postgresql-plpython-8.0.11-0.1.20060mdk.i586.rpm
b09b01ee09433cb2276694c1a7769a58 2006.0/i586/postgresql-pltcl-8.0.11-0.1.20060mdk.i586.rpm
3ee91ea236e04f2a911ad69868bf3f29 2006.0/i586/postgresql-server-8.0.11-0.1.20060mdk.i586.rpm
d5d9d33f248cadef71bff48dd1f7c81a 2006.0/i586/postgresql-test-8.0.11-0.1.20060mdk.i586.rpm
2f456c000cba2ac5f98ab05bb1c8b400 2006.0/SRPMS/postgresql-8.0.11-0.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
04e172cf72fef2efc12d43d4906f2408 2006.0/x86_64/lib64ecpg5-8.0.11-0.1.20060mdk.x86_64.rpm
623fed2a8d785d71658705abd7d5d1f4 2006.0/x86_64/lib64ecpg5-devel-8.0.11-0.1.20060mdk.x86_64.rpm
ad035cd1c9c11346a683febb2cc56783 2006.0/x86_64/lib64pq4-8.0.11-0.1.20060mdk.x86_64.rpm
3762497183d1b702f6f4f9683e871c88 2006.0/x86_64/lib64pq4-devel-8.0.11-0.1.20060mdk.x86_64.rpm
ab263a98ce0b7179bfb834889c9facb0 2006.0/x86_64/postgresql-8.0.11-0.1.20060mdk.x86_64.rpm
af4b6e09c92f53d6541390c04e922f4d 2006.0/x86_64/postgresql-contrib-8.0.11-0.1.20060mdk.x86_64.rpm
9f2a34e6162f77dddcc185552e9cb619 2006.0/x86_64/postgresql-devel-8.0.11-0.1.20060mdk.x86_64.rpm
8ce393a46d3eff9c5ea7d632d139c8e2 2006.0/x86_64/postgresql-docs-8.0.11-0.1.20060mdk.x86_64.rpm
eee613b2b2df9565bc34dd70b4f4af3e 2006.0/x86_64/postgresql-jdbc-8.0.11-0.1.20060mdk.x86_64.rpm
6fbf3a35951d64936597a16e6aef59c5 2006.0/x86_64/postgresql-pl-8.0.11-0.1.20060mdk.x86_64.rpm
610fc142482dc119816bc37edbd16427 2006.0/x86_64/postgresql-plperl-8.0.11-0.1.20060mdk.x86_64.rpm
e63db598dd5c07c9abe67834c242cec4 2006.0/x86_64/postgresql-plpgsql-8.0.11-0.1.20060mdk.x86_64.rpm
f1398990db7f8fc80f31938c69f64153 2006.0/x86_64/postgresql-plpython-8.0.11-0.1.20060mdk.x86_64.rpm
612afa01e019d0da5b3fdd7e9c5579f0 2006.0/x86_64/postgresql-pltcl-8.0.11-0.1.20060mdk.x86_64.rpm
730a1ce6785ca112c63ee6367999e491 2006.0/x86_64/postgresql-server-8.0.11-0.1.20060mdk.x86_64.rpm
dd5931e07b71f7d39147061bef39d177 2006.0/x86_64/postgresql-test-8.0.11-0.1.20060mdk.x86_64.rpm
2f456c000cba2ac5f98ab05bb1c8b400 2006.0/SRPMS/postgresql-8.0.11-0.1.20060mdk.src.rpm

Mandriva Linux 2007.0:
d077be222aa54f1bf37f55a2b426a487 2007.0/i586/libecpg5-8.1.7-1.1mdv2007.0.i586.rpm
39c5c0d8ccfe2b16e04c71f63ca676dd 2007.0/i586/libecpg5-devel-8.1.7-1.1mdv2007.0.i586.rpm
b5509203ec7f9ef453341117305dcdb9 2007.0/i586/libpq4-8.1.7-1.1mdv2007.0.i586.rpm
1c9a4e7f08038413cc0f4ec7885a42a7 2007.0/i586/libpq4-devel-8.1.7-1.1mdv2007.0.i586.rpm
2dc5c3369f280892ce430f4cd64281ab 2007.0/i586/postgresql-8.1.7-1.1mdv2007.0.i586.rpm
7f32f50497435ec064c3aec25551a0af 2007.0/i586/postgresql-contrib-8.1.7-1.1mdv2007.0.i586.rpm
f5f3ac5638eea527abb3f945585cece7 2007.0/i586/postgresql-devel-8.1.7-1.1mdv2007.0.i586.rpm
3ab61d16063667f699326a6604303b50 2007.0/i586/postgresql-docs-8.1.7-1.1mdv2007.0.i586.rpm
dbc683ac58c893ffef301545ae5091ea 2007.0/i586/postgresql-pl-8.1.7-1.1mdv2007.0.i586.rpm
c34d1891abe81af46de910bd9d8c7a2d 2007.0/i586/postgresql-plperl-8.1.7-1.1mdv2007.0.i586.rpm
520adbe4ed1a43d0aa88f89bcd3a90e2 2007.0/i586/postgresql-plpgsql-8.1.7-1.1mdv2007.0.i586.rpm
6eca2470426328ebcdf83e6bd6acaf0a 2007.0/i586/postgresql-plpython-8.1.7-1.1mdv2007.0.i586.rpm
2cad17701ab6467d6bea6b95ed39b0d2 2007.0/i586/postgresql-pltcl-8.1.7-1.1mdv2007.0.i586.rpm
5c3166ca9b13c992aa3460899291a728 2007.0/i586/postgresql-server-8.1.7-1.1mdv2007.0.i586.rpm
52dc82a5c745e1f46a76ebf32ac3e2e5 2007.0/i586/postgresql-test-8.1.7-1.1mdv2007.0.i586.rpm
b8229227cba3278c0e40a99f6ef39883 2007.0/SRPMS/postgresql-8.1.7-1.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
5315b2c35a453b577ee7847e019a846a 2007.0/x86_64/lib64ecpg5-8.1.7-1.1mdv2007.0.x86_64.rpm
2fe21dd9a0498b7001c9138cd9218159 2007.0/x86_64/lib64ecpg5-devel-8.1.7-1.1mdv2007.0.x86_64.rpm
dc4e1420d0d36ebcd56c196989fb6694 2007.0/x86_64/lib64pq4-8.1.7-1.1mdv2007.0.x86_64.rpm
e2efe03361910444fe6d684b4648876f 2007.0/x86_64/lib64pq4-devel-8.1.7-1.1mdv2007.0.x86_64.rpm
9b44f853f77f48a0088eb7943756b64e 2007.0/x86_64/postgresql-8.1.7-1.1mdv2007.0.x86_64.rpm
02a87ed9b62c4dd6206de8021755dea0 2007.0/x86_64/postgresql-contrib-8.1.7-1.1mdv2007.0.x86_64.rpm
82ade12fa019f039c989740b6484baee 2007.0/x86_64/postgresql-devel-8.1.7-1.1mdv2007.0.x86_64.rpm
d6a5eb5f86263626f4f7d94d145bb108 2007.0/x86_64/postgresql-docs-8.1.7-1.1mdv2007.0.x86_64.rpm
b7bad9fbe23450fb07c94ffa4135fed7 2007.0/x86_64/postgresql-pl-8.1.7-1.1mdv2007.0.x86_64.rpm
79a363334dba592ca80cac1017a45b1c 2007.0/x86_64/postgresql-plperl-8.1.7-1.1mdv2007.0.x86_64.rpm
38ea142b1a812fa734947a629e740151 2007.0/x86_64/postgresql-plpgsql-8.1.7-1.1mdv2007.0.x86_64.rpm
a623495f6bfc957139669a29ee13fb58 2007.0/x86_64/postgresql-plpython-8.1.7-1.1mdv2007.0.x86_64.rpm
e777974b7b49296dae095363b5448cc5 2007.0/x86_64/postgresql-pltcl-8.1.7-1.1mdv2007.0.x86_64.rpm
90e65a9ac76430df828265d6ea1d4c23 2007.0/x86_64/postgresql-server-8.1.7-1.1mdv2007.0.x86_64.rpm
eb7e03b7a74491f60bc4e4dd0ba9aff2 2007.0/x86_64/postgresql-test-8.1.7-1.1mdv2007.0.x86_64.rpm
b8229227cba3278c0e40a99f6ef39883 2007.0/SRPMS/postgresql-8.1.7-1.1mdv2007.0.src.rpm

Corporate 3.0:
25505c19ece576fefeba90b64caacfad corporate/3.0/i586/libecpg3-7.4.1-2.8.C30mdk.i586.rpm
ef8a317c21785512de3144da1c9edff0 corporate/3.0/i586/libecpg3-devel-7.4.1-2.8.C30mdk.i586.rpm
45906f492059f08e3b5e0aa2595b5888 corporate/3.0/i586/libpgtcl2-7.4.1-2.8.C30mdk.i586.rpm
c44595a37d655f17c8f97e5a2e5cc5fa corporate/3.0/i586/libpgtcl2-devel-7.4.1-2.8.C30mdk.i586.rpm
3b962bc41a1bbddfee5eef2fc554c7fb corporate/3.0/i586/libpq3-7.4.1-2.8.C30mdk.i586.rpm
d8daf6f07762ff1a041761fe13591828 corporate/3.0/i586/libpq3-devel-7.4.1-2.8.C30mdk.i586.rpm
30c7d21119850ba8d84eb169c369723c corporate/3.0/i586/postgresql-7.4.1-2.8.C30mdk.i586.rpm
a1a5653a3199fa56ce05d58a43636627 corporate/3.0/i586/postgresql-contrib-7.4.1-2.8.C30mdk.i586.rpm
aa51e081c03b40018ab21d0821c71fea corporate/3.0/i586/postgresql-devel-7.4.1-2.8.C30mdk.i586.rpm
b13e32723f494af7bf0d28e6fab484a2 corporate/3.0/i586/postgresql-docs-7.4.1-2.8.C30mdk.i586.rpm
b64b66c52913c251fd920b7c932ede54 corporate/3.0/i586/postgresql-jdbc-7.4.1-2.8.C30mdk.i586.rpm
1fa995965d510d83b49ef5adb7d0fb30 corporate/3.0/i586/postgresql-pl-7.4.1-2.8.C30mdk.i586.rpm
b76e6848ef3e48239e9fadce93d4cf1e corporate/3.0/i586/postgresql-server-7.4.1-2.8.C30mdk.i586.rpm
830a2abbba11c2a3888bb207ce1f2657 corporate/3.0/i586/postgresql-tcl-7.4.1-2.8.C30mdk.i586.rpm
6de4c509e8f30449de71ee847a72cc0b corporate/3.0/i586/postgresql-test-7.4.1-2.8.C30mdk.i586.rpm
cb9f633aa33f20592c22d808d243e7f4 corporate/3.0/SRPMS/postgresql-7.4.1-2.8.C30mdk.src.rpm

Corporate 3.0/X86_64:
b96b64db68a43bd86803a7f625d98c2e corporate/3.0/x86_64/lib64ecpg3-7.4.1-2.8.C30mdk.x86_64.rpm
37b035c411b06a3d4fbfd2479ded71cf corporate/3.0/x86_64/lib64ecpg3-devel-7.4.1-2.8.C30mdk.x86_64.rpm
37f965d055dfc9b9243a667f876b3799 corporate/3.0/x86_64/lib64pgtcl2-7.4.1-2.8.C30mdk.x86_64.rpm
b127a439b633f1af2bb6a20475185f54 corporate/3.0/x86_64/lib64pgtcl2-devel-7.4.1-2.8.C30mdk.x86_64.rpm
3b2f7f2ada985794e9489f9049b00eb8 corporate/3.0/x86_64/lib64pq3-7.4.1-2.8.C30mdk.x86_64.rpm
0cf784d8f003c5956f19446032d97e29 corporate/3.0/x86_64/lib64pq3-devel-7.4.1-2.8.C30mdk.x86_64.rpm
bcd4e668928ab31ab0333dbd1212149f corporate/3.0/x86_64/postgresql-7.4.1-2.8.C30mdk.x86_64.rpm
fee8199f9dff5f0d6a4a38e39f5b0777 corporate/3.0/x86_64/postgresql-contrib-7.4.1-2.8.C30mdk.x86_64.rpm
158768a27c1c8294e778599533d7a3c6 corporate/3.0/x86_64/postgresql-devel-7.4.1-2.8.C30mdk.x86_64.rpm
667ca4ec5ac29289c920af54a5f0cdeb corporate/3.0/x86_64/postgresql-docs-7.4.1-2.8.C30mdk.x86_64.rpm
617d2d2cba98ad6079057f9262db16db corporate/3.0/x86_64/postgresql-jdbc-7.4.1-2.8.C30mdk.x86_64.rpm
e849e37ba7648ba47b00bfeef98e2bdf corporate/3.0/x86_64/postgresql-pl-7.4.1-2.8.C30mdk.x86_64.rpm
5d834d6bb8a0736fafdde2ba4ced93a0 corporate/3.0/x86_64/postgresql-server-7.4.1-2.8.C30mdk.x86_64.rpm
9744b6d4b67486a1319605f8738de97d corporate/3.0/x86_64/postgresql-tcl-7.4.1-2.8.C30mdk.x86_64.rpm
836a7ab39147cbbde85473848756c2ea corporate/3.0/x86_64/postgresql-test-7.4.1-2.8.C30mdk.x86_64.rpm
cb9f633aa33f20592c22d808d243e7f4 corporate/3.0/SRPMS/postgresql-7.4.1-2.8.C30mdk.src.rpm

Corporate 4.0:
457ceff22a6c29fe8f7bb0b4a4cc3df5 corporate/4.0/i586/libecpg5-8.1.7-0.1.20060mlcs4.i586.rpm
2dee4d9b77250de0f5d79c9037ce4848 corporate/4.0/i586/libecpg5-devel-8.1.7-0.1.20060mlcs4.i586.rpm
4f1911b331aff03b1eedcc2967057f9f corporate/4.0/i586/libpq4-8.1.7-0.1.20060mlcs4.i586.rpm
2d5d829588b7a2ff81f6f364fb194618 corporate/4.0/i586/libpq4-devel-8.1.7-0.1.20060mlcs4.i586.rpm
3077227d7bee4836cabfc94113a39128 corporate/4.0/i586/postgresql-8.1.7-0.1.20060mlcs4.i586.rpm
a4612b1ef4e8142e9f41c4760b8df2ec corporate/4.0/i586/postgresql-contrib-8.1.7-0.1.20060mlcs4.i586.rpm
6389bd557862c884c037300230f1d31c corporate/4.0/i586/postgresql-devel-8.1.7-0.1.20060mlcs4.i586.rpm
494f2995b8596943902d78796d25c2f4 corporate/4.0/i586/postgresql-docs-8.1.7-0.1.20060mlcs4.i586.rpm
9d85c833eb5881d97934f8a40cee08a5 corporate/4.0/i586/postgresql-pl-8.1.7-0.1.20060mlcs4.i586.rpm
3faa914bb1127a5eff6fc61630e790ba corporate/4.0/i586/postgresql-plperl-8.1.7-0.1.20060mlcs4.i586.rpm
accb18c13908b0dc72ade4f40ebf2d45 corporate/4.0/i586/postgresql-plpgsql-8.1.7-0.1.20060mlcs4.i586.rpm
e11f6aeb959c6567433706a07cc353f0 corporate/4.0/i586/postgresql-plpython-8.1.7-0.1.20060mlcs4.i586.rpm
3e899419b6b6fb47a9e1820db71c15b0 corporate/4.0/i586/postgresql-pltcl-8.1.7-0.1.20060mlcs4.i586.rpm
875f0e29feb28ba52b70d73979c3d429 corporate/4.0/i586/postgresql-server-8.1.7-0.1.20060mlcs4.i586.rpm
0fe3ea03a120de6624f186bf5cac455c corporate/4.0/i586/postgresql-test-8.1.7-0.1.20060mlcs4.i586.rpm
fbb03a99b9795af2ebb6dde46545326d corporate/4.0/SRPMS/postgresql-8.1.7-0.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
626c0bfcc24162f9f29081ba1c605d13 corporate/4.0/x86_64/lib64ecpg5-8.1.7-0.1.20060mlcs4.x86_64.rpm
32e767d1264b2d6fbfaf659f0f98d02e corporate/4.0/x86_64/lib64ecpg5-devel-8.1.7-0.1.20060mlcs4.x86_64.rpm
3ae4b9b8ad30f358d486cbaa3c6d489d corporate/4.0/x86_64/lib64pq4-8.1.7-0.1.20060mlcs4.x86_64.rpm
87b7ebb3f9ce5c9bd62f5738c3b0b1b6 corporate/4.0/x86_64/lib64pq4-devel-8.1.7-0.1.20060mlcs4.x86_64.rpm
f2337cb010b7e1d2f75867fb6e909a9f corporate/4.0/x86_64/postgresql-8.1.7-0.1.20060mlcs4.x86_64.rpm
428d3b26f7700141a7772e42395c8e36 corporate/4.0/x86_64/postgresql-contrib-8.1.7-0.1.20060mlcs4.x86_64.rpm
a064cf7e03d4b1d42b3b3738d5cc08bb corporate/4.0/x86_64/postgresql-devel-8.1.7-0.1.20060mlcs4.x86_64.rpm
d33e4335306ac9bc001f52365c22906c corporate/4.0/x86_64/postgresql-docs-8.1.7-0.1.20060mlcs4.x86_64.rpm
644e77f4587a6123609888e127b00c40 corporate/4.0/x86_64/postgresql-pl-8.1.7-0.1.20060mlcs4.x86_64.rpm
bffedbcd41eebb83c2752184a5eebc21 corporate/4.0/x86_64/postgresql-plperl-8.1.7-0.1.20060mlcs4.x86_64.rpm
8ab83c15fa0513cbe7c13b8b101a37c6 corporate/4.0/x86_64/postgresql-plpgsql-8.1.7-0.1.20060mlcs4.x86_64.rpm
bf7f711a4b5d444bd625829e61bd385e corporate/4.0/x86_64/postgresql-plpython-8.1.7-0.1.20060mlcs4.x86_64.rpm
d3951b5e225842f185ed14e2c381ea9f corporate/4.0/x86_64/postgresql-pltcl-8.1.7-0.1.20060mlcs4.x86_64.rpm
3ba6e069c883bb138a4eb0d1ece4c31f corporate/4.0/x86_64/postgresql-server-8.1.7-0.1.20060mlcs4.x86_64.rpm
de212c2885533ddd6d011589e5701a2b corporate/4.0/x86_64/postgresql-test-8.1.7-0.1.20060mlcs4.x86_64.rpm
fbb03a99b9795af2ebb6dde46545326d corporate/4.0/SRPMS/postgresql-8.1.7-0.1.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFyQtymqjQ0CJFipgRArj0AJ93UmcMvGbxGYJC74oHjDstlglNcgCfUZEZ
eQGB1z/8sIjXz75tMhDhLSc=
=ZLG5
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007037__updated_postgresql_packages_address_multiple_vulnerabilities.html)