SUSE Security Announcement: PostgreSQL SQL injection attacks (SUSE-SA:2006:030)
Posted on: 06/09/2006 05:12 PM

A security announcement from SUSE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SUSE Security Announcement

Package: postgresql
Announcement ID: SUSE-SA:2006:030
Date: Fri, 09 Jun 2006 16:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SUSE SLES 9
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE Default Package: no
Cross-References: CVE-2006-2313, CVE-2006-2314

Content of This Advisory:
1) Security Vulnerability Resolved:
PostgreSQL SQL injection problems due to encoding problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

Two character set encoding related security problems were fixed in the
PostgreSQL database server:

CVE-2006-2313:
Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling
of invalidly-encoded multibyte text data. If a client application
processed untrusted input without respecting its encoding and
applied standard string escaping techniques (such as replacing a
single quote >>'<< with >>\\'<< or >>''<<), the PostgreSQL server
could interpret the resulting string in a way that allowed an
attacker to inject arbitrary SQL commands into the resulting SQL
query. The PostgreSQL server has been modified to reject such
invalidly encoded strings now, which completely fixes the problem
for some 'safe' multibyte encodings like UTF-8.

CVE-2006-2314:
However, there are some less popular and client-only multibyte
encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which
contain valid multibyte characters that end with the byte 0x5c,
which is the representation of the backslash character >>\\<< in
ASCII. Many client libraries and applications use the non-standard,
but popular way of escaping the >>'<< character by replacing all
occurrences of it with >>\\'<<. If a client application uses one of
the affected encodings and does not interpret multibyte characters,
and an attacker supplies a specially crafted byte sequence as an
input string parameter, this escaping method would then produce a
validly-encoded character and an excess >>'<< character which would
end the string. All subsequent characters would then be interpreted
as SQL code, so the attacker could execute arbitrary SQL commands.

To fix this vulnerability end-to-end, client-side applications
must be fixed to properly interpret multibyte encodings and use
>>''<< instead of >>\\'<<. However, as a precautionary measure,
the sequence >>\\'<< is now regarded as invalid when one of the
affected client encodings is in use. If you depend on the previous
behavior, you can restore it by setting 'backslash_quote = on'
in postgresql.conf. However, please be aware that this could
render you vulnerable again.

This issue does not affect you if you only use single-byte (like
SQL_ASCII or the ISO-8859-X family) or unaffected multibyte
(like UTF-8) encodings.

Please see http://www.postgresql.org/docs/techdocs.50 for further
details.

Unfortunately we are not yet able to provide back ported patches for
the PostgreSQL included in SUSE Linux Enterprise Server 8 at this
time. We are working on a solution for this problem.

2) Solution or Work-Around

There is no known workaround, please install the update packages.

3) Special Instructions and Notes

If you are running a PostgreSQL server please make sure that it
is stopped or at least doesn't have any client connections during
the update.

If you are running or using a PostgreSQL server please carefully follow
the instructions in /usr/share/doc/packages/postgresql/SECURITY-NOTICE
to complete this security update

4) Package Location and Checksums

The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command

rpm -Fhv <file.rpm>

to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.


x86 Platform:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-8.1.4-1.2.i586.rpm
8fb5e2f12fb4db3b468a735be55902bc
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-contrib-8.1.4-1.2.i586.rpm
fd229189b9b93d90cf223fbe29ecf937
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-devel-8.1.4-1.2.i586.rpm
278a5823adcc686131b55cad9984f34c
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-docs-8.1.4-1.2.i586.rpm
a91427f863badb6edc03ae27b3e5f15e
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-libs-8.1.4-1.2.i586.rpm
ea7ce106f0bc482469e96e27b8e544bc
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-pl-8.1.4-1.2.i586.rpm
56a69980760509bb49de4868315d5baa
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-server-8.1.4-1.2.i586.rpm
ed388e0c0a524559d13050eb1dfdc9c1

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-8.0.8-0.2.i586.rpm
923404a774e7cabec9df64c62da88a27
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-contrib-8.0.8-0.2.i586.rpm
85b25723f9d67a70b04e0ce3811cc85c
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-devel-8.0.8-0.2.i586.rpm
50e5a977ed8b9120768bc5e603961f98
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-docs-8.0.8-0.2.i586.rpm
e45faf70ef7def2aade7b94ba89bd864
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-libs-8.0.8-0.2.i586.rpm
36b5719ca00eaf3cddb4c2d506d1d2fa
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-pl-8.0.8-0.2.i586.rpm
318081f3601d5f7baf872c94b104b2fc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-server-8.0.8-0.2.i586.rpm
05d154dcc296a9c7e956e9138a312108

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-8.0.8-0.2.i586.rpm
a260aec2aef3ea77694a76a0201044ae
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-contrib-8.0.8-0.2.i586.rpm
37b5114bbbb78f6e80ffb1b89401e8da
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-devel-8.0.8-0.2.i586.rpm
a61d1e17cd2ccc61f6b4975520ab7e9f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-docs-8.0.8-0.2.i586.rpm
841b0470d29b9170b18bbfbaafe41435
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-libs-8.0.8-0.2.i586.rpm
78ef824e90a62d24d6bb2deaa9b74ab9
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-pl-8.0.8-0.2.i586.rpm
733a5aa1b89477c2011910d0fa72e166
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-server-8.0.8-0.2.i586.rpm
f688fedcc332b893e0ac9e5154d977c1

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-7.4.13-0.2.i586.rpm
ea88d118184c182bfacb7544d48f34c6
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-contrib-7.4.13-0.2.i586.rpm
ce7b90c42fb477b97c0dbc64c147b5e0
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-devel-7.4.13-0.2.i586.rpm
1bcfeb756fe5c5d5e347a5ff4ccf84fe
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-docs-7.4.13-0.2.i586.rpm
890c3a7ced118229ec9bc640cb057800
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-libs-7.4.13-0.2.i586.rpm
b7ec99237d6fe4e8682c78f7a8bcdb63
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-pl-7.4.13-0.2.i586.rpm
96a4e10fee0a465819a07ee2e89b03e2
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-server-7.4.13-0.2.i586.rpm
5ca65525e7d340e4e98a3a59dac1cbe3

SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-7.4.13-0.4.i586.rpm
34eed42fd77148c86ec86c086a18af0d
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-contrib-7.4.13-0.4.i586.rpm
e05064dbdfba0a0a0ca43b745f2a6402
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-devel-7.4.13-0.4.i586.rpm
8ecb634c77035ccac12cee347c632f99
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-docs-7.4.13-0.4.i586.rpm
f3ac880c647474f1bee6c72fec75b550
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-libs-7.4.13-0.4.i586.rpm
92e1ed36148af0b98691296b5f20074d
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-pl-7.4.13-0.4.i586.rpm
76c494f41f4cc6d31d181c0d672b85db
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-server-7.4.13-0.4.i586.rpm
77dddc495feae1c6b0f926b0169585af
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/postgresql-libs-32bit-9.1-200605310116.i586.rpm
e1def686b4da15034ecdba05ae52d317

Power PC Platform:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-8.1.4-1.2.ppc.rpm
20bf4b672950391a885c39647be3fd29
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-contrib-8.1.4-1.2.ppc.rpm
a438d0c348de0e2352a24ba34f1b3efd
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-devel-8.1.4-1.2.ppc.rpm
a24d09f29f4dc635420a4cf44d01de7a
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-docs-8.1.4-1.2.ppc.rpm
733ebb4b98b47c4ae645b2a6d3f5f127
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-64bit-8.1.4-1.2.ppc.rpm
2e2a884eb58f654bad8b4986f8347d63
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-8.1.4-1.2.ppc.rpm
afb35a53b9dad8e2b7f193eb59265c94
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-pl-8.1.4-1.2.ppc.rpm
e26756896b6023f3b7a56edf504508e0
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-server-8.1.4-1.2.ppc.rpm
3e7b5e34ab551a15adf87a4533f71919

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-8.0.8-0.2.ppc.rpm
1f0d19658278ce363a02f34c8408badc
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-contrib-8.0.8-0.2.ppc.rpm
ab128f5681367e3260f28007f1eb223b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-devel-8.0.8-0.2.ppc.rpm
4934796258b5095bde35d82dcce8400e
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-docs-8.0.8-0.2.ppc.rpm
c6ed5f891260a707ff34d2c0d6bc8dd5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-64bit-8.0.8-0.2.ppc.rpm
11eae2961bc6806c81144f980cf47c26
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-8.0.8-0.2.ppc.rpm
84d1d74b1be2fa9bc3814347e48d666a
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-pl-8.0.8-0.2.ppc.rpm
7c2091e7324d055d584d18de5d016b02
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-server-8.0.8-0.2.ppc.rpm
565f8479ac8b992cc6dee514d009c6a0

ppc64:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc64/postgresql-8.1.4-1.2.ppc64.rpm
eaaea2f30a115beed208a33fb7985319

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc64/postgresql-8.0.8-0.2.ppc64.rpm
a16b451535c8a819814fc0081a6a3855

x86-64 Platform:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-8.1.4-1.2.x86_64.rpm
7037db2dbb3d7d251f74a383a8779ebd
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-contrib-8.1.4-1.2.x86_64.rpm
efc0a6e5c729fa83995b24ac9cb248de
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-devel-8.1.4-1.2.x86_64.rpm
dba4d4671e306ea3f610576b8e455152
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-docs-8.1.4-1.2.x86_64.rpm
ad4d0ceb06de8f4a66506ce8822752f9
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-32bit-8.1.4-1.2.x86_64.rpm
4ee45efb63361bba98e6d65d07187afa
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-8.1.4-1.2.x86_64.rpm
c5a016add913fdaad2b5157d705e3fe4
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-pl-8.1.4-1.2.x86_64.rpm
109a82fdb9ba89bd72323906d03ef0a8
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-server-8.1.4-1.2.x86_64.rpm
e2100dbf6917d14f375d7860275d35e5

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-8.0.8-0.2.x86_64.rpm
aeae0da5a394b4c24d8cda8560f18dbb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-contrib-8.0.8-0.2.x86_64.rpm
10e6615d3c4648b9cc9d0c69e10a5e23
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-devel-8.0.8-0.2.x86_64.rpm
42fa8a74543ba2dc5983829e87f9cf03
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-docs-8.0.8-0.2.x86_64.rpm
f39ed20c68895151c7540224bfa733e5
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-32bit-8.0.8-0.2.x86_64.rpm
694a1886b2d287fe91b7182d5d9a6cd2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-8.0.8-0.2.x86_64.rpm
07a3202ef0840ebd64c797570ad37959
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-pl-8.0.8-0.2.x86_64.rpm
d16750bdb4d6c7c8c9a4d770db05224f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-server-8.0.8-0.2.x86_64.rpm
f16b518aa08e10c7afea31b294cfc778

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-8.0.8-0.2.x86_64.rpm
3e1d2b7a5f48312f45629ef1e2aca09e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-contrib-8.0.8-0.2.x86_64.rpm
c93b8d25d8c1c8d3ff71330148b0bfe1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-devel-8.0.8-0.2.x86_64.rpm
7282ec73b022c0a64df4131449ffa03e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-docs-8.0.8-0.2.x86_64.rpm
6555bbcb2dece1509ce34689e6866089
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-32bit-9.3-7.3.x86_64.rpm
b3bb611cbe68ca215f5dddad9c5427a6
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-8.0.8-0.2.x86_64.rpm
01e3fa4fe1de5c07c923f86b8b6edfe1
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-pl-8.0.8-0.2.x86_64.rpm
b19f8062671374939259f1a283736622
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-server-8.0.8-0.2.x86_64.rpm
691e3d79c8fd58acd3e754b3ac3085b1

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-7.4.13-0.2.x86_64.rpm
e4b11cc66197cf5f186f07ee9928e66e
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-contrib-7.4.13-0.2.x86_64.rpm
c6b41d5cbf22749909f787a4618037da
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-devel-7.4.13-0.2.x86_64.rpm
1f0119c73b50f3a5da6d31e2eea35369
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-docs-7.4.13-0.2.x86_64.rpm
9a8f7959d081395e312ca02a8a7a5fc3
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-32bit-9.2-200605301412.x86_64.rpm
2ddf607af4ce09f4269cbca02ec03a7d
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-7.4.13-0.2.x86_64.rpm
272ef016cd23ae673b803b5767a1554c
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-pl-7.4.13-0.2.x86_64.rpm
51523699fb995488a1dbded7eb5fe2cc
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-server-7.4.13-0.2.x86_64.rpm
897a20ab9ea122d43f89567e485ff500

SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-7.4.13-0.4.x86_64.rpm
a38b622178a32cdd06233c842327295d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-contrib-7.4.13-0.4.x86_64.rpm
085aab7d5729e3f27dbab7fb9e420254
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-devel-7.4.13-0.4.x86_64.rpm
4691be0aa24c42eeaa50c092353bd6f4
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-docs-7.4.13-0.4.x86_64.rpm
5bc0a01514247c29c765b3c8938c795d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-libs-7.4.13-0.4.x86_64.rpm
c12dc2877ec65c6a3f988b51157b5ab7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-pl-7.4.13-0.4.x86_64.rpm
83fa45b8a322910a38f071e9bd0d9031
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-server-7.4.13-0.4.x86_64.rpm
79ad3926185107da714ab3754aa889e7

Sources:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-8.1.4-1.2.src.rpm
44f36fd35b82cea18e01a4fe667ad40d
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-pl-8.1.4-1.2.nosrc.rpm
f189f8e0fca64e0e3991c7d4f928327f

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-8.0.8-0.2.src.rpm
361ca18474faf36146a84236618afaf2
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-pl-8.0.8-0.2.nosrc.rpm
5a7a5a8af3c4bc930300c908413d8fe0

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-8.0.8-0.2.src.rpm
384b25b835cfd3990395967571ae2b05
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-pl-8.0.8-0.2.nosrc.rpm
a1155e3cadf7907178c57fc20a3b2aa1

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-7.4.13-0.2.src.rpm
186111c9f577a1583725aef28da96636
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-pl-7.4.13-0.2.nosrc.rpm
fb124cb2d1424d21035040847423e7b6

SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-7.4.13-0.4.src.rpm
7a76decace79f6dcb7d183f461626b2e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-pl-7.4.13-0.4.nosrc.rpm
4739e9d6fee0bee6934be76870d4ce51
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-7.4.13-0.4.src.rpm
7fadd3d1bed3c30759d94af7cd924800
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-pl-7.4.13-0.4.nosrc.rpm
a357ff94aec54e5ebb08c7fd758fbdeb

Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:

SUSE SLES 9
http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/da59db7f50aac32f6bd1b258f6e09652.html

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

- Announcement authenticity verification:

SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.

To verify the signature of the announcement, save it as text into a file
and run the command

gpg --verify <file>

replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:

gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"

where <DATE> is replaced by the date the document was signed.

If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command

gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

- Package authenticity verification:

SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.

There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:

1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement

1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command

rpm -v --checksig <file.rpm>

to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.

This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.

2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command

md5sum <filename.rpm>

after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.

- SUSE runs two security mailing lists to which any interested party may
subscribe:

suse-security@suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info@suse.com> or
<suse-security-faq@suse.com>.

=====================================================================
SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.

SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRIl/Zney5gA9JdPZAQJLuwf/Rn+cDRFVAD23X0K8Ll6zjyU8qQdOytud
sxK+awU9ncb4dVE8iEW6U6Vt8P+/HvQHroQom73StxzSK7oEFCG4Ss6kU+Ov8oCO
wm8hxEEcXf7NE29xDsY0q+pGbrM1tBXzUITaYDEN9OC5G6ltwMj6BTANkooLVl4S
I1vwG58EHDLBf8FGsNuEFOREffjtiS06dpQZX2h1OFWbSmE8QjOsUlPSPX3eaNrH
c7yEOcrp+LUOWHBGhtknCWy/OMuSbvwPGaUqggINg4/+H7SzE7gJ+3Ea4j8U1IbE
VFl6E56qEnHqQbu0uyvSHCCBG/3Glq3LjmpmQBrEOVSednG9e8haKA==
=EBgW
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/suse_security_announcement_postgresql_sql_injection_attacks_suse_sa2006030.html)