Lucene search

K
debianDebianDEBIAN:B5085A549A7B65D94C753C4F5D1D7A86:CDF1F
HistoryMay 25, 2010 - 11:24 a.m.

[Backports-security-announce] Security Update for postgresql-8.4

2010-05-2511:24:49
lists.debian.org
24

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

EPSS

0.006

Percentile

78.2%

Gerfried Fuchs uploaded new packages for postgresql-8.4 which fixed the
following security problems:

CVE-2010-1169

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta
before 9.0 Beta 2 does not properly restrict PL/perl procedures, which
allows remote authenticated users, with database-creation privileges,
to execute arbitrary Perl code via a crafted script, related to the
Safe module (aka Safe.pm) for Perl.

CVE-2010-1170

The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before
8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4
before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the
pltcl_modules table regardless of the table's ownership and
permissions, which allows remote authenticated users, with
database-creation privileges, to execute arbitrary Tcl code by
creating this table and inserting a crafted Tcl script.

CVE-2010-1975

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not
properly check privileges during certain RESET ALL operations, which
allows remote authenticated users to remove arbitrary parameter
settings via a (1) ALTER USER or (2) ALTER DATABASE statement.

For the lenny-backports distribution the problems have been fixed in
version 8.4.4-1~bpo50+1.

For the squeeze and sid distributions the problems have been fixed in
version 8.4.4-1.

Upgrade instructions

If you don't use pinning (see [1]) you have to update the packages
manually via "apt-get -t lenny-backports install <packagelist>" with the
packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions&gt;

We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

Attachment:
signature.asc
Description: Digital signature

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

EPSS

0.006

Percentile

78.2%