[SECURITY] [DSA 2491-1] postgresql-8.4 security update

2012-06-0911:57:54

lists.debian.org

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.012 Low

EPSS

Percentile

85.0%

JSON

Debian Security Advisory DSA-2491-1 [email protected]
http://www.debian.org/security/ Florian Weimer
June 09, 2012 http://www.debian.org/security/faq

Package : postgresql-8.4
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2143 CVE-2012-2655

Two vulnerabilities were discovered in PostgreSQL, an SQL database
server:

CVE-2012-2143
The crypt(text, text) function in the pgcrypto contrib module
did not handle certain passwords correctly, ignoring
characters after the first character which does not fall into
the ASCII range.

CVE-2012-2655
SECURITY DEFINER and SET attributes for a call handler of a
procedural language could crash the database server.

In addition, this update contains reliability and stability fixes from
the 8.4.12 upstream release.

For the stable distribution (squeeze), this problem has been fixed in
version 8.4.12-0squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 8.4.12-1.

We recommend that you upgrade your postgresql-8.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6kfreebsd-i386postgresql-8.4< 8.4.12-0squeeze1postgresql-8.4_8.4.12-0squeeze1_kfreebsd-i386.deb
Debian6i386libecpg-dev< 8.4.12-0squeeze1libecpg-dev_8.4.12-0squeeze1_i386.deb
Debian6kfreebsd-amd64libecpg-compat3< 8.4.12-0squeeze1libecpg-compat3_8.4.12-0squeeze1_kfreebsd-amd64.deb
Debian6kfreebsd-i386libpq5< 8.4.12-0squeeze1libpq5_8.4.12-0squeeze1_kfreebsd-i386.deb
Debian6armelpostgresql-client-8.4< 8.4.12-0squeeze1postgresql-client-8.4_8.4.12-0squeeze1_armel.deb
Debian6kfreebsd-i386libecpg-compat3< 8.4.12-0squeeze1libecpg-compat3_8.4.12-0squeeze1_kfreebsd-i386.deb
Debian6kfreebsd-amd64postgresql-client-8.4< 8.4.12-0squeeze1postgresql-client-8.4_8.4.12-0squeeze1_kfreebsd-amd64.deb
Debian6s390postgresql-client-8.4< 8.4.12-0squeeze1postgresql-client-8.4_8.4.12-0squeeze1_s390.deb
Debian6mipspostgresql-plpython-8.4< 8.4.12-0squeeze1postgresql-plpython-8.4_8.4.12-0squeeze1_mips.deb
Debian6kfreebsd-amd64libpq-dev< 8.4.12-0squeeze1libpq-dev_8.4.12-0squeeze1_kfreebsd-amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	kfreebsd-i386	postgresql-8.4	< 8.4.12-0squeeze1	postgresql-8.4_8.4.12-0squeeze1_kfreebsd-i386.deb
Debian	6	i386	libecpg-dev	< 8.4.12-0squeeze1	libecpg-dev_8.4.12-0squeeze1_i386.deb
Debian	6	kfreebsd-amd64	libecpg-compat3	< 8.4.12-0squeeze1	libecpg-compat3_8.4.12-0squeeze1_kfreebsd-amd64.deb
Debian	6	kfreebsd-i386	libpq5	< 8.4.12-0squeeze1	libpq5_8.4.12-0squeeze1_kfreebsd-i386.deb
Debian	6	armel	postgresql-client-8.4	< 8.4.12-0squeeze1	postgresql-client-8.4_8.4.12-0squeeze1_armel.deb
Debian	6	kfreebsd-i386	libecpg-compat3	< 8.4.12-0squeeze1	libecpg-compat3_8.4.12-0squeeze1_kfreebsd-i386.deb
Debian	6	kfreebsd-amd64	postgresql-client-8.4	< 8.4.12-0squeeze1	postgresql-client-8.4_8.4.12-0squeeze1_kfreebsd-amd64.deb
Debian	6	s390	postgresql-client-8.4	< 8.4.12-0squeeze1	postgresql-client-8.4_8.4.12-0squeeze1_s390.deb
Debian	6	mips	postgresql-plpython-8.4	< 8.4.12-0squeeze1	postgresql-plpython-8.4_8.4.12-0squeeze1_mips.deb
Debian	6	kfreebsd-amd64	libpq-dev	< 8.4.12-0squeeze1	libpq-dev_8.4.12-0squeeze1_kfreebsd-amd64.deb