[SECURITY] [DSA 2418-1] postgresql-8.4 security update

2012-02-2717:43:53

lists.debian.org

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

82.9%

JSON

Debian Security Advisory DSA-2418-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
February 27, 2012 http://www.debian.org/security/faq

Package : postgresql-8.4
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0866 CVE-2012-0867 CVE-2012-0868

Several local vulnerabilities have been discovered in PostgreSQL, an
object-relational SQL database. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2012-0866

It was discovered that the permissions of a function called by a
trigger are not checked. This could result in privilege escalation.

CVE-2012-0867

It was discovered that only the first 32 characters of a host name
are checked when validating host names through SSL certificates.
This could result in spoofing the connection in limited
circumstances.

CVE-2012-0868

It was discovered that pg_dump did not sanitise object names.
This could result in arbitrary SQL command execution if a
malformed dump file is opened.

For the stable distribution (squeeze), this problem has been fixed in
version 8.4.11-0squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 8.4.11-1.

We recommend that you upgrade your postgresql-8.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6kfreebsd-i386postgresql-plpython-8.4< 8.4.11-0squeeze1postgresql-plpython-8.4_8.4.11-0squeeze1_kfreebsd-i386.deb
Debian6powerpcpostgresql-8.4< 8.4.11-0squeeze1postgresql-8.4_8.4.11-0squeeze1_powerpc.deb
Debian6mipsellibpq5< 8.4.11-0squeeze1libpq5_8.4.11-0squeeze1_mipsel.deb
Debian6armellibpgtypes3< 8.4.11-0squeeze1libpgtypes3_8.4.11-0squeeze1_armel.deb
Debian6amd64postgresql-contrib-8.4< 8.4.11-0squeeze1postgresql-contrib-8.4_8.4.11-0squeeze1_amd64.deb
Debian6kfreebsd-i386postgresql-8.4< 8.4.11-0squeeze1postgresql-8.4_8.4.11-0squeeze1_kfreebsd-i386.deb
Debian6ia64postgresql-pltcl-8.4< 8.4.11-0squeeze1postgresql-pltcl-8.4_8.4.11-0squeeze1_ia64.deb
Debian6mipsellibpgtypes3< 8.4.11-0squeeze1libpgtypes3_8.4.11-0squeeze1_mipsel.deb
Debian6powerpcpostgresql-server-dev-8.4< 8.4.11-0squeeze1postgresql-server-dev-8.4_8.4.11-0squeeze1_powerpc.deb
Debian6armelpostgresql-8.4< 8.4.11-0squeeze1postgresql-8.4_8.4.11-0squeeze1_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	kfreebsd-i386	postgresql-plpython-8.4	< 8.4.11-0squeeze1	postgresql-plpython-8.4_8.4.11-0squeeze1_kfreebsd-i386.deb
Debian	6	powerpc	postgresql-8.4	< 8.4.11-0squeeze1	postgresql-8.4_8.4.11-0squeeze1_powerpc.deb
Debian	6	mipsel	libpq5	< 8.4.11-0squeeze1	libpq5_8.4.11-0squeeze1_mipsel.deb
Debian	6	armel	libpgtypes3	< 8.4.11-0squeeze1	libpgtypes3_8.4.11-0squeeze1_armel.deb
Debian	6	amd64	postgresql-contrib-8.4	< 8.4.11-0squeeze1	postgresql-contrib-8.4_8.4.11-0squeeze1_amd64.deb
Debian	6	kfreebsd-i386	postgresql-8.4	< 8.4.11-0squeeze1	postgresql-8.4_8.4.11-0squeeze1_kfreebsd-i386.deb
Debian	6	ia64	postgresql-pltcl-8.4	< 8.4.11-0squeeze1	postgresql-pltcl-8.4_8.4.11-0squeeze1_ia64.deb
Debian	6	mipsel	libpgtypes3	< 8.4.11-0squeeze1	libpgtypes3_8.4.11-0squeeze1_mipsel.deb
Debian	6	powerpc	postgresql-server-dev-8.4	< 8.4.11-0squeeze1	postgresql-server-dev-8.4_8.4.11-0squeeze1_powerpc.deb
Debian	6	armel	postgresql-8.4	< 8.4.11-0squeeze1	postgresql-8.4_8.4.11-0squeeze1_armel.deb