Security Information / 2011 / Security Information -- DSA-2157-1 postgresql-8.3, postgresql-8.4, postgresql-9.0

Debian Security Advisory

DSA-2157-1 postgresql-8.3, postgresql-8.4, postgresql-9.0 -- buffer overflow

Date Reported:

03 Feb 2011

Affected Packages:

postgresql-8.3
postgresql-8.4
postgresql-9.0

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2010-4015.

More information:

It was discovered that PostgreSQL's intarray contrib module does not properly handle integers with a large number of digits, leading to a server crash and potentially arbitrary code execution.

For the stable distribution (lenny), this problem has been fixed in version 8.3.14-0lenny1 of the postgresql-8.3 package.

For the testing distribution (squeeze), this problem has been fixed in version 8.4.7-0squeeze1 of the postgresql-8.4 package.

For the unstable distribution (sid), this problem has been fixed in version 8.4.7-1 of the postgresql-8.4 package and version 9.0.3-1 of the postgresql-9.0 package.

The updates also include reliability improvements; for details see the respective changelogs.

We recommend that you upgrade your PostgreSQL packages.