[Technik] [SECURITY] [DSA 1463-1] New postgresql-7.4 packages fix several vulnerabilities

Noèl Köthe noel at debian.org
Wed Jan 16 13:59:18 CET 2008 

Am Montag, den 14.01.2008, 19:51 +0100 schrieb Moritz Muehlenhoff:

> Debian Security Advisory DSA-1463-1                  security at debian.org
> http://www.debian.org/security/                       Moritz Muehlenhoff
> January 14, 2008                      http://www.debian.org/security/faq
> 
> Package        : postgresql-7.4
> Vulnerability  : several
> Problem type   : local
> Debian-specific: no
> CVE Id(s)      : CVE-2007-3278 CVE-2007-4769 CVE-2007-4772 CVE-2007-6067 CVE-2007-6600 CVE-2007-6601

postgresql-7.4 auf h01, h02, h03, h04, h51 und cupa aktualisiert.

> For the stable distribution (etch), these problems have been fixed in
> version 7.4.19-0etch1.

postgresql-7.4 (1:7.4.19-0etch1) stable-security; urgency=low

  * New upstream bugfix release 7.4.18:
    - Require non-superusers who use "/contrib/dblink" to use only
      password authentication, as a security measure.
      [CVE-2007-3278, CVE-2007-3280]
    - Make "CREATE DOMAIN ... DEFAULT NULL" work properly.
    - Fix excessive logging of SSL error messages.
    - Fix crash when log_min_error_statement logging runs out of memory.
    - Prevent "CLUSTER" from failing due to attempting to process
      temporary tables of other sessions.
  * New upstream security/bugfix release 7.4.19:
    - Prevent functions in indexes from executing with the privileges of
      the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden
      within a SECURITY DEFINER context. [CVE-2007-6600]
    - Suitably crafted regular-expression patterns could cause crashes,
      infinite or near-infinite looping, and/or massive memory
      consumption, all of which pose denial-of-service hazards for
      applications that accept regex search patterns from untrustworthy
      sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
    - Require non-superusers who use "/contrib/dblink" to use only
      password authentication, as a security measure.
      The fix that appeared for this in 8.2.5 was incomplete, as it
      plugged the hole for only some "dblink" functions. [CVE-2007-6601,
      CVE-2007-3278]
    - Fix planner failure in some cases of WHERE false AND var IN (SELECT
      ...).
    - Fix potential crash in translate() when using a multibyte database
      encoding.
    - Fix PL/Python to not crash on long exception messages.
    - ecpg parser fixes.
    - Make "contrib/tablefunc"'s crosstab() handle NULL rowid as a
      category in its own right, rather than crashing.
    - Fix tsvector and tsquery output routines to escape backslashes
      correctly.
    - Fix crash of to_tsvector() on huge input strings.
  * debian/patches/21_krb5_check_hostname.patch: Adapt to new upstream
    release.

 -- Martin Pitt <mpitt at debian.org>  Fri, 04 Jan 2008 15:31:29 +0100

> For the old stable distribution (sarge), some of these problems have been
> fixed in version 7.4.7-6sarge6 of the postgresql package. Please note that
> the fix for CVE-2007-6600 and for the handling of regular expressions
> hasn't been backported due to the intrusiveness of the fix. We recommend
> to upgrade to the stable distribution if these vulnerabilities affect your
> setup.


-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20080116/f9edd84f/attachment.pgp

More information about the Technik mailing list