Debians sikkerhedsbulletin
DSA-1460-1 postgresql-8.1 -- flere sårbarheder
- Rapporteret den:
- 13. jan 2008
- Berørte pakker:
- postgresql-8.1
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2007-3278, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601.
- Yderligere oplysninger:
-
Flere lokalt udnytbar sårbarheder er opdaget i PostgreSQL, en objekt-relationel SQL-database. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:
- CVE-2007-3278
Man har opdaget at modulet DBLink udførte utilstrækkelig tilladelseskontrol. Dette problem er også registreret som CVE-2007-6601, da opstrøms oprindelige rettelse ikke var komplet.
- CVE-2007-4769
Tavis Ormandy og Will Drewry opdagede at en fejl i håndteringen af tilbage-reference i regulære udtryk-maskinen kunne føre til læsning uden for grænserne, medførende et nedbrud (crash). Der er kun tale om et sikkerhedsproblem, hvis en applikation der anvender PostgreSQL, behandler regulære udtræk fra kilder man ikke stoler på.
- CVE-2007-4772
Tavis Ormandy og Will Drewry opdagede at regulære udtryk kunne narres ind i en uendelig løkke, medførende lammelsesangreb. Der er kun tale om et sikkerhedsproblem, hvis en applikation der anvender PostgreSQL, behandler regulære udtræk fra kilder man ikke stoler på.
- CVE-2007-6067
Tavis Ormandy og Will Drewry opdagede at optimeringen af regulære udtryk kunne narres til omfattende ressourceforbrug. Der er kun tale om et sikkerhedsproblem, hvis en applikation der anvender PostgreSQL, behandler regulære udtræk fra kilder man ikke stoler på.
- CVE-2007-6600
Funktioner i indeksudtryk kunne føre til rettighedsforøgelse. For en mere uddybende forklaring, se opstrøms annoncering, som er tilgængelig på http://www.postgresql.org/about/news.905.
Den gamle stabile distribution (sarge) indeholder ikke postgresql-8.1.
I den stabile distribution (etch), er disse problemer rettet i version postgresql-8.1 8.1.11-0etch1.
I den ustabile distribution (sid), er disse problemer rettet i version 8.2.6-1 of postgresql-8.2.
Vi anbefaler at du opgraderer din postgresql-8.1 (8.1.11-0etch1)-pakke.
- CVE-2007-3278
- Rettet i:
-
Debian GNU/Linux 4.0 (stable)
- Kildekode:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1.diff.gz
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1.dsc
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11.orig.tar.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-doc-8.1_8.1.11-0etch1_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_mips.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.