Säkerhetsbulletin från Debian

DSA-1460-1 postgresql-8.1 -- flera sårbarheter

Rapporterat den:
2008-01-13
Berörda paket:
postgresql-8.1
Sårbara:
Ja
Referenser i säkerhetsdatabaser:
I Mitres CVE-förteckning: CVE-2007-3278, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601.
Ytterligare information:

Flera sårbarheter har upptäckts i PostgreSQL, en objektrelations-SQL-databas. Projektet Common Vulnerabilities and Exposures identifierar följande problem:

  • CVE-2007-3278

    Man har upptäckt att DBLink-modulen inte utför tillräcklig kontroll av befogenheter. Detta problem finns även spårat som CVE-2007-6601 då den inledande rättelsen från uppströms inte var tillräcklig.

  • CVE-2007-4769

    Tavis Ormandy och Will Drewry upptäckte att fel i hanteringen av bakåtreferenser i motorn för reguljära uttryck kunde leda till en läsning utanför begränsningarna, vilket ledde till en krasch. Detta är bara ett säkerhetsproblem om programmet som använder PostgreSQL hanterar reguljära uttryck från obetrodda källor.

  • CVE-2007-4772

    Tavis Ormandy och Will Drewry upptäckte att optimeraren för reguljära uttryck kunde luras in i en oändlig slinga, vilket kunde användas i en överbelastningsattack. Detta är bara ett säkerhetsproblem om programmet som använder PostgreSQL hanterar reguljära uttryck från obetrodda källor.

  • CVE-2007-6067

    Tavis Ormandy och Will Drewry upptäckte att optimeraren för reguljära uttryck kunde luras att använda stora mängder resurser. Detta är bara ett säkerhetsproblem om programmet som använder PostgreSQL hanterar reguljära uttryck från obetrodda källor.

  • CVE-2007-6600

    Funktioner i indexuttryck kunde leda till utökning av privilegier. För en mer fördjupande beskrivning, se uppströmsbulletinen på http://www.postgresql.org/about/news.905.

Den gamla stabila utgåvan (Sarge) innehåller inte postgresql-8.1.

För den stabila utgåvan (Etch) har dessa problem rättats i version postgresql-8.1 8.1.11-0etch1.

För den instabila utgåvan (Sid) har dessa problem rättats i version 8.2.6-1 av postgresql-8.2.

Vi rekommenderar att ni uppgraderar ert postgresql-8.1-paket.

Rättat i:

Debian GNU/Linux 4.0 (stable)

Källkod:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1.diff.gz
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11.orig.tar.gz
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1.dsc
Arkitekturoberoende komponent:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-doc-8.1_8.1.11-0etch1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_arm.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_i386.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_mips.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_mips.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_s390.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.