Several vulnerabilities have been discovered in PostgreSQL, a database
server. The Common Vulnerabilities and Exposures project identifies
the following problems:
It was discovered that PostgreSQL did not properly verify the Common
Name attribute in X.509 certificates, enabling attackers to bypass the
(optional) TLS protection on client-server connections, by relying on
a certificate from a trusted CA which contains an embedded NUL byte in
the Common Name (CVE-2009-4034).
Authenticated database users could elevate their privileges by
creating specially-crafted index functions (CVE-2009-4136).
The following matrix shows fixed source package versions for the
respective distributions.
oldstable/etch | stable/lenny | testing/unstable | |
---|---|---|---|
postgresql-7.4 | 7.4.27-0etch1 | ||
postgresql-8.1 | 8.1.19-0etch1 | ||
postgresql-8.3 | 8.3.9-0lenny1 | 8.3.9-1 | |
postgresql-8.4 | 8.4.2-1 |
In addition to these security fixes, the updates contain reliability
improvements and fix other defects.
We recommend that you upgrade your PostgreSQL packages.