postgresql-8.1 - several

Several local vulnerabilities have been discovered in PostgreSQL, an
object-relational SQL database. The Common Vulnerabilities and Exposures
project identifies the following problems:

• CVE-2007-3278

It was discovered that the DBLink module performed insufficient
credential validation. This issue is also tracked as CVE-2007-6601,
since the initial upstream fix was incomplete.

• CVE-2007-4769

Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bounds read, resulting in a crash. This constitutes only
a security problem if an application using PostgreSQL processes
regular expressions from untrusted sources.

• CVE-2007-4772

Tavis Ormandy and Will Drewry discovered that the optimizer for regular
expression could be tricked into an infinite loop, resulting in denial
of service. This constitutes only a security problem if an application
using PostgreSQL processes regular expressions from untrusted sources.

• CVE-2007-6067

Tavis Ormandy and Will Drewry discovered that the optimizer for regular
expression could be tricked massive resource consumption. This
constitutes only a security problem if an application using PostgreSQL
processes regular expressions from untrusted sources.

• CVE-2007-6600

Functions in index expressions could lead to privilege escalation. For
a more in depth explanation please see the upstream announce available
at <http://www.postgresql.org/about/news.905&gt;.

The old stable distribution (sarge), doesn’t contain postgresql-8.1.

For the stable distribution (etch), these problems have been fixed in version
postgresql-8.1 8.1.11-0etch1.

For the unstable distribution (sid), these problems have been fixed in
version 8.2.6-1 of postgresql-8.2.

We recommend that you upgrade your postgresql-8.1 (8.1.11-0etch1) package.