Debian Security Advisory
DSA-1460-1 postgresql-8.1 -- several vulnerabilities
- Date Reported:
- 13 Jan 2008
- Affected Packages:
- postgresql-8.1
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2007-3278, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601.
- More information:
-
Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2007-3278
It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete.
- CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling of back-references inside the regular expressions engine could lead to an out of bounds read, resulting in a crash. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources.
- CVE-2007-4772
Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked into an infinite loop, resulting in denial of service. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources.
- CVE-2007-6067
Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked massive resource consumption. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources.
- CVE-2007-6600
Functions in index expressions could lead to privilege escalation. For a more in depth explanation please see the upstream announce available at http://www.postgresql.org/about/news.905.
The old stable distribution (sarge), doesn't contain postgresql-8.1.
For the stable distribution (etch), these problems have been fixed in version postgresql-8.1 8.1.11-0etch1.
For the unstable distribution (sid), these problems have been fixed in version 8.2.6-1 of postgresql-8.2.
We recommend that you upgrade your postgresql-8.1 (8.1.11-0etch1) package.
- CVE-2007-3278
- Fixed in:
-
Debian GNU/Linux 4.0 (stable)
- Source:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1.diff.gz
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1.dsc
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11.orig.tar.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-doc-8.1_8.1.11-0etch1_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_mips.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg5_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-client-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq-dev_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpq4_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-dev_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libpgtypes2_8.1.11-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postgresql-8.1/libecpg-compat2_8.1.11-0etch1_sparc.deb
MD5 checksums of the listed files are available in the original advisory.