[ MDKSA-2007:188 ] - Updated postgresql packages prevent access abuse using dblink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2007:188
http://www.mandriva.com/security/
_______________________________________________________________________
Package : postgresql
Date : September 25, 2007
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
PostgreSQL 8.1 and probably later and earlier versions, when local
trust authentication is enabled and the Database Link library (dblink)
is installed, allows remote attackers to access arbitrary accounts
and execute arbitrary SQL queries via a dblink host parameter that
proxies the connection from 127.0.0.1. (CVE-2007-3278)
PostgreSQL 8.1 and probably later and earlier versions, when the
PL/pgSQL (plpgsql) language has been created, grants certain plpgsql
privileges to the PUBLIC domain, which allows remote attackers
to create and execute functions, as demonstrated by functions that
perform local brute-force password guessing attacks, which may evade
intrusion detection. (CVE-2007-3279)
The Database Link library (dblink) in PostgreSQL 8.1 implements
functions via CREATE statements that map to arbitrary libraries based
on the C programming language, which allows remote authenticated
superusers to map and execute a function from any library, as
demonstrated by using the system function in libc.so.6 to gain shell
access. (CVE-2007-3280)
Updated packages fix these issues, by requiring non-superusers who
use /contrib/dblink to use only password authentication.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3280
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.0:
8e0e2cff4bbda7444671086bd7e0430b
2007.0/i586/libecpg5-8.1.10-0.1mdv2007.0.i586.rpm
3be5df4380e5680c3a2adc9ba74543fb
2007.0/i586/libecpg5-devel-8.1.10-0.1mdv2007.0.i586.rpm
59594d2f05d4f23a467b2bd684bc0fa3
2007.0/i586/libpq4-8.1.10-0.1mdv2007.0.i586.rpm
aba27ad1b97f86debfd63b1ae76558a9
2007.0/i586/libpq4-devel-8.1.10-0.1mdv2007.0.i586.rpm
dc4bc45a46d1b69cf13991d70d7d0c71
2007.0/i586/postgresql-8.1.10-0.1mdv2007.0.i586.rpm
7a487ba0458f09c21b941f1a76f74357
2007.0/i586/postgresql-contrib-8.1.10-0.1mdv2007.0.i586.rpm
08a4a0ba67e4c83c43931e61983348ca
2007.0/i586/postgresql-devel-8.1.10-0.1mdv2007.0.i586.rpm
1c02f6136ace73a51ea365c77f28ea6a
2007.0/i586/postgresql-docs-8.1.10-0.1mdv2007.0.i586.rpm
a13c547f110fa39ed62a843526f70e8e
2007.0/i586/postgresql-pl-8.1.10-0.1mdv2007.0.i586.rpm
305884f17ccaee34ee2ac3d2dc1c8170
2007.0/i586/postgresql-plperl-8.1.10-0.1mdv2007.0.i586.rpm
cc34a8f0e4bef8d6a0adddc54c3d8f2c
2007.0/i586/postgresql-plpgsql-8.1.10-0.1mdv2007.0.i586.rpm
43d8bf8f3613e038441551cb1662eb8d
2007.0/i586/postgresql-plpython-8.1.10-0.1mdv2007.0.i586.rpm
770b9fc3031c9b97aa0ca8d2ac669e6c
2007.0/i586/postgresql-pltcl-8.1.10-0.1mdv2007.0.i586.rpm
f5a0af71805f7c430696cbbb03ad922f
2007.0/i586/postgresql-server-8.1.10-0.1mdv2007.0.i586.rpm
1e043a882b3d9d445414dabebb96fcf4
2007.0/i586/postgresql-test-8.1.10-0.1mdv2007.0.i586.rpm
be22e5ac6dd504511798d4caa3c3f1df
2007.0/SRPMS/postgresql-8.1.10-0.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
3dab8c951c0944e1bc3a00d4ca64d32e
2007.0/x86_64/lib64ecpg5-8.1.10-0.1mdv2007.0.x86_64.rpm
1d6c86c2593873bf9c4adc4745d3abc2
2007.0/x86_64/lib64ecpg5-devel-8.1.10-0.1mdv2007.0.x86_64.rpm
3141c891ff439c458803cd258fc4479b
2007.0/x86_64/lib64pq4-8.1.10-0.1mdv2007.0.x86_64.rpm
9a30293d6761c4b2b1f2a2e8b284f0ff
2007.0/x86_64/lib64pq4-devel-8.1.10-0.1mdv2007.0.x86_64.rpm
25006369de4abf770fc7a516a762a897
2007.0/x86_64/postgresql-8.1.10-0.1mdv2007.0.x86_64.rpm
5ce4bad8022fc65eb7d1db9d53f32551
2007.0/x86_64/postgresql-contrib-8.1.10-0.1mdv2007.0.x86_64.rpm
03a29dc13f4f556d8df0dcaa07c4766d
2007.0/x86_64/postgresql-devel-8.1.10-0.1mdv2007.0.x86_64.rpm
89ba6a9c0c747108df0209167150c02f
2007.0/x86_64/postgresql-docs-8.1.10-0.1mdv2007.0.x86_64.rpm
a723d7449913d52fca2030d0e63ca182
2007.0/x86_64/postgresql-pl-8.1.10-0.1mdv2007.0.x86_64.rpm
827c1b0092c8b86b6631d16eb30b904e
2007.0/x86_64/postgresql-plperl-8.1.10-0.1mdv2007.0.x86_64.rpm
b2c9eda89df39db40ec55d7a383b15b5
2007.0/x86_64/postgresql-plpgsql-8.1.10-0.1mdv2007.0.x86_64.rpm
25ea855473edb7ef6c9dc372957c2277
2007.0/x86_64/postgresql-plpython-8.1.10-0.1mdv2007.0.x86_64.rpm
23ae5b09b00e0b8518f1ada8163d57a0
2007.0/x86_64/postgresql-pltcl-8.1.10-0.1mdv2007.0.x86_64.rpm
464d1f64bdb2b0f16c6be7b56c71b346
2007.0/x86_64/postgresql-server-8.1.10-0.1mdv2007.0.x86_64.rpm
900cfbe6d3adac1711779b21b3dd4100
2007.0/x86_64/postgresql-test-8.1.10-0.1mdv2007.0.x86_64.rpm
be22e5ac6dd504511798d4caa3c3f1df
2007.0/SRPMS/postgresql-8.1.10-0.1mdv2007.0.src.rpm
Mandriva Linux 2007.1:
28b4b8a53e1dc0117441630c75e8c4ae
2007.1/i586/libecpg5-8.2.5-0.1mdv2007.1.i586.rpm
697b841fa6fcf2fe92e5509ed9b262a3
2007.1/i586/libecpg5-devel-8.2.5-0.1mdv2007.1.i586.rpm
5c6d7bd957121c443fe31562f9fe6261
2007.1/i586/libpq5-8.2.5-0.1mdv2007.1.i586.rpm
be14414b10e8ca06c576090cc802de26
2007.1/i586/libpq5-devel-8.2.5-0.1mdv2007.1.i586.rpm
00baebc695b0d791aacbb0fe1c08e0ad
2007.1/i586/postgresql-8.2.5-0.1mdv2007.1.i586.rpm
97c538ee913a520f429b4581013edc3e
2007.1/i586/postgresql-contrib-8.2.5-0.1mdv2007.1.i586.rpm
b9daafeed274fd9ddb1bd4fdadf03f3f
2007.1/i586/postgresql-devel-8.2.5-0.1mdv2007.1.i586.rpm
75da06b542bbea1f4278a4ba8c5f46bb
2007.1/i586/postgresql-docs-8.2.5-0.1mdv2007.1.i586.rpm
89dfcbe1690c2f4e5917b81c17205d10
2007.1/i586/postgresql-pl-8.2.5-0.1mdv2007.1.i586.rpm
72ef35d3c36a7f7850dab8f095980e44
2007.1/i586/postgresql-plperl-8.2.5-0.1mdv2007.1.i586.rpm
6b3e178ac649527dfcb3adfbbbfbe44e
2007.1/i586/postgresql-plpgsql-8.2.5-0.1mdv2007.1.i586.rpm
c6066550b12d0cd826d16ad57151d323
2007.1/i586/postgresql-plpython-8.2.5-0.1mdv2007.1.i586.rpm
cb6f37ca6ff51f09dba6f1668af9d594
2007.1/i586/postgresql-pltcl-8.2.5-0.1mdv2007.1.i586.rpm
63e6b9fe073410b34165ddf147ed6011
2007.1/i586/postgresql-server-8.2.5-0.1mdv2007.1.i586.rpm
982a89aee68c2fe2a4528f7a53443a23
2007.1/i586/postgresql-test-8.2.5-0.1mdv2007.1.i586.rpm
b8b3ac22c8f39026cfcade15cc2aea94
2007.1/SRPMS/postgresql-8.2.5-0.1mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
1d5111ef660b6fb5247839ba75fc37a3
2007.1/x86_64/lib64ecpg5-8.2.5-0.1mdv2007.1.x86_64.rpm
d365d0cf979e1c2632e144ba2ff051a5
2007.1/x86_64/lib64ecpg5-devel-8.2.5-0.1mdv2007.1.x86_64.rpm
bcb2d08186934a70a8088ad7b26348ff
2007.1/x86_64/lib64pq5-8.2.5-0.1mdv2007.1.x86_64.rpm
687c54dd685832e3458f4474ba329659
2007.1/x86_64/lib64pq5-devel-8.2.5-0.1mdv2007.1.x86_64.rpm
d7ea11ad9524fdab20225117b20f2717
2007.1/x86_64/postgresql-8.2.5-0.1mdv2007.1.x86_64.rpm
1a2e68d503b6903bd2f4934ea768f055
2007.1/x86_64/postgresql-contrib-8.2.5-0.1mdv2007.1.x86_64.rpm
d877344b20f92228f8021985fa69ab21
2007.1/x86_64/postgresql-devel-8.2.5-0.1mdv2007.1.x86_64.rpm
757f20c5feecec4087bf006b8cdba0b3
2007.1/x86_64/postgresql-docs-8.2.5-0.1mdv2007.1.x86_64.rpm
59b65c9035d55e44c28ee37d6b449646
2007.1/x86_64/postgresql-pl-8.2.5-0.1mdv2007.1.x86_64.rpm
30b2a348faafbf1a1772427207cbd162
2007.1/x86_64/postgresql-plperl-8.2.5-0.1mdv2007.1.x86_64.rpm
18a270c6a3cf0c8e6135c7d1c19a2328
2007.1/x86_64/postgresql-plpgsql-8.2.5-0.1mdv2007.1.x86_64.rpm
a75d1de15ff8bb8b888d8d843a3f3f55
2007.1/x86_64/postgresql-plpython-8.2.5-0.1mdv2007.1.x86_64.rpm
9b6aaeda052fbc274de087987e8681c8
2007.1/x86_64/postgresql-pltcl-8.2.5-0.1mdv2007.1.x86_64.rpm
8ad62e7c5319a0e2c5b5079512dca7b9
2007.1/x86_64/postgresql-server-8.2.5-0.1mdv2007.1.x86_64.rpm
b5409350a8877578ab54ae4a0e7f61cd
2007.1/x86_64/postgresql-test-8.2.5-0.1mdv2007.1.x86_64.rpm
b8b3ac22c8f39026cfcade15cc2aea94
2007.1/SRPMS/postgresql-8.2.5-0.1mdv2007.1.src.rpm
Corporate 3.0:
588715bb0163718873938ff86f1d4202
corporate/3.0/i586/libecpg3-7.4.18-0.1.C30mdk.i586.rpm
928ab48c3f7617f757644bcacc034710
corporate/3.0/i586/libecpg3-devel-7.4.18-0.1.C30mdk.i586.rpm
72f7fd9f4d05c667070052446017f6bc
corporate/3.0/i586/libpgtcl2-7.4.18-0.1.C30mdk.i586.rpm
290f3c248453b5b6fd1117be7e1ab747
corporate/3.0/i586/libpgtcl2-devel-7.4.18-0.1.C30mdk.i586.rpm
aaa399732adf2e6fa080135de4fc1862
corporate/3.0/i586/libpq3-7.4.18-0.1.C30mdk.i586.rpm
fe8fbed859473f11ba528a55f58e9d46
corporate/3.0/i586/libpq3-devel-7.4.18-0.1.C30mdk.i586.rpm
5061808637e3c371f9736055af4aa037
corporate/3.0/i586/postgresql-7.4.18-0.1.C30mdk.i586.rpm
fcd466fade3f59c11c5b557280f10797
corporate/3.0/i586/postgresql-contrib-7.4.18-0.1.C30mdk.i586.rpm
ed805cb294ec49aa896fb0c74cd4c963
corporate/3.0/i586/postgresql-devel-7.4.18-0.1.C30mdk.i586.rpm
960a6ec9df468b8a4246439d81e1f83f
corporate/3.0/i586/postgresql-docs-7.4.18-0.1.C30mdk.i586.rpm
abf0aadc29a47561556e0b3989cef2ce
corporate/3.0/i586/postgresql-jdbc-7.4.18-0.1.C30mdk.i586.rpm
cb8a2fd57dd82f5ccb38cf01e75297d9
corporate/3.0/i586/postgresql-pl-7.4.18-0.1.C30mdk.i586.rpm
aa32657f105fe2a691ff96bcc4ba741e
corporate/3.0/i586/postgresql-server-7.4.18-0.1.C30mdk.i586.rpm
2fdb9a752cf31d82ebb00df0588130c6
corporate/3.0/i586/postgresql-tcl-7.4.18-0.1.C30mdk.i586.rpm
fe46f24547fa10573306933033926061
corporate/3.0/i586/postgresql-test-7.4.18-0.1.C30mdk.i586.rpm
180401c4053b1517946e5f30d58b9d4b
corporate/3.0/SRPMS/postgresql-7.4.18-0.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
81c7148e224774ff1d0af00d70cbf3dd
corporate/3.0/x86_64/lib64ecpg3-7.4.18-0.1.C30mdk.x86_64.rpm
bb141143be18ef10210753b1d938056d
corporate/3.0/x86_64/lib64ecpg3-devel-7.4.18-0.1.C30mdk.x86_64.rpm
c7699ded100b384d7700c9036a89bae8
corporate/3.0/x86_64/lib64pgtcl2-7.4.18-0.1.C30mdk.x86_64.rpm
2295fb70c32eda4c04d06526a09abfd4
corporate/3.0/x86_64/lib64pgtcl2-devel-7.4.18-0.1.C30mdk.x86_64.rpm
db97ceb3194087a390ddb03c69b30c8a
corporate/3.0/x86_64/lib64pq3-7.4.18-0.1.C30mdk.x86_64.rpm
41b623e7e1a24deb6d31a03082577556
corporate/3.0/x86_64/lib64pq3-devel-7.4.18-0.1.C30mdk.x86_64.rpm
39f0e5df87ebb9539ec42cee909a8645
corporate/3.0/x86_64/postgresql-7.4.18-0.1.C30mdk.x86_64.rpm
48469cd980bbc2d29ec6eb3a45bc77bb
corporate/3.0/x86_64/postgresql-contrib-7.4.18-0.1.C30mdk.x86_64.rpm
4b2bd788cba6e39b223e0452ccefb102
corporate/3.0/x86_64/postgresql-devel-7.4.18-0.1.C30mdk.x86_64.rpm
a64df12801fc2a4bda8d7c8e5834a436
corporate/3.0/x86_64/postgresql-docs-7.4.18-0.1.C30mdk.x86_64.rpm
5922318852bd8de043ba30cd55e7fe29
corporate/3.0/x86_64/postgresql-jdbc-7.4.18-0.1.C30mdk.x86_64.rpm
832eebcd9ab3c06b9473f2d3289dc05c
corporate/3.0/x86_64/postgresql-pl-7.4.18-0.1.C30mdk.x86_64.rpm
02510d7e598d40f25dd6c610d1546027
corporate/3.0/x86_64/postgresql-server-7.4.18-0.1.C30mdk.x86_64.rpm
c9ce6d529054cd8b21a92b03dbc0896b
corporate/3.0/x86_64/postgresql-tcl-7.4.18-0.1.C30mdk.x86_64.rpm
04a0e3f49d4f91935132a20bccdffeb3
corporate/3.0/x86_64/postgresql-test-7.4.18-0.1.C30mdk.x86_64.rpm
180401c4053b1517946e5f30d58b9d4b
corporate/3.0/SRPMS/postgresql-7.4.18-0.1.C30mdk.src.rpm
Corporate 4.0:
0f2321b2bc99ed8aee6aecdb49ab33df
corporate/4.0/i586/libecpg5-8.1.10-0.1.20060mlcs4.i586.rpm
e23d1d0fa713e09f66feaf0e1ad751c0
corporate/4.0/i586/libecpg5-devel-8.1.10-0.1.20060mlcs4.i586.rpm
b8765e2b0650d2e71aec83652d2a4e7c
corporate/4.0/i586/libpq4-8.1.10-0.1.20060mlcs4.i586.rpm
8cd02f43142df2ffe865d694332ec01f
corporate/4.0/i586/libpq4-devel-8.1.10-0.1.20060mlcs4.i586.rpm
5c02374f4b80d8abfb5f03d4bc108c08
corporate/4.0/i586/postgresql-8.1.10-0.1.20060mlcs4.i586.rpm
6c51a1332a49afb9a5645255f059aca6
corporate/4.0/i586/postgresql-contrib-8.1.10-0.1.20060mlcs4.i586.rpm
72e90c47c7fda06bc9dedce429848acc
corporate/4.0/i586/postgresql-devel-8.1.10-0.1.20060mlcs4.i586.rpm
1b31a1a48b6b1fba2244517a2a789992
corporate/4.0/i586/postgresql-docs-8.1.10-0.1.20060mlcs4.i586.rpm
08425c9962e55546592c03a28fa3177b
corporate/4.0/i586/postgresql-pl-8.1.10-0.1.20060mlcs4.i586.rpm
b2888a0453e8a6d9914fb09bb2ae4c30
corporate/4.0/i586/postgresql-plperl-8.1.10-0.1.20060mlcs4.i586.rpm
7f1fa8b30628ed65bdc7e01fa287dcfd
corporate/4.0/i586/postgresql-plpgsql-8.1.10-0.1.20060mlcs4.i586.rpm
f077a91da95c35725f167dd0f9033376
corporate/4.0/i586/postgresql-plpython-8.1.10-0.1.20060mlcs4.i586.rpm
d4f4a70065a40b0e036d9adc63dfdb30
corporate/4.0/i586/postgresql-pltcl-8.1.10-0.1.20060mlcs4.i586.rpm
54cf91740d33e33e6d1a0a05212884d1
corporate/4.0/i586/postgresql-server-8.1.10-0.1.20060mlcs4.i586.rpm
1ec216cc5f3dcc15796e0b70523840c5
corporate/4.0/i586/postgresql-test-8.1.10-0.1.20060mlcs4.i586.rpm
6aa551b36336a70ce3cc58dc073a3485
corporate/4.0/SRPMS/postgresql-8.1.10-0.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
50e3eefd32275cf5b651417cbc4216a1
corporate/4.0/x86_64/lib64ecpg5-8.1.10-0.1.20060mlcs4.x86_64.rpm
9d795789cc60f424e39d10a9a627fab6
corporate/4.0/x86_64/lib64ecpg5-devel-8.1.10-0.1.20060mlcs4.x86_64.rpm
7bc3a22a9a1c8b179223f8f300652539
corporate/4.0/x86_64/lib64pq4-8.1.10-0.1.20060mlcs4.x86_64.rpm
b4f5279bc1c028e9633ff3ae69df2e98
corporate/4.0/x86_64/lib64pq4-devel-8.1.10-0.1.20060mlcs4.x86_64.rpm
135f2583ebba8c937ef65e94cfff4b46
corporate/4.0/x86_64/postgresql-8.1.10-0.1.20060mlcs4.x86_64.rpm
b29df3a033c4f80d93166c4e075a73dc
corporate/4.0/x86_64/postgresql-contrib-8.1.10-0.1.20060mlcs4.x86_64.rpm
c46e540ca5e063b53feb63e06f438f66
corporate/4.0/x86_64/postgresql-devel-8.1.10-0.1.20060mlcs4.x86_64.rpm
49a645929b23b095d68b1343d33ed584
corporate/4.0/x86_64/postgresql-docs-8.1.10-0.1.20060mlcs4.x86_64.rpm
0bc2d6034bbdf336283afd735c141987
corporate/4.0/x86_64/postgresql-pl-8.1.10-0.1.20060mlcs4.x86_64.rpm
7ed1208bb18735772c6cecd5c005c635
corporate/4.0/x86_64/postgresql-plperl-8.1.10-0.1.20060mlcs4.x86_64.rpm
b1fe1e0863f0f7a7231146b7707b18d5
corporate/4.0/x86_64/postgresql-plpgsql-8.1.10-0.1.20060mlcs4.x86_64.rpm
76223a8ac834672a08f8005890ac3b89
corporate/4.0/x86_64/postgresql-plpython-8.1.10-0.1.20060mlcs4.x86_64.rpm
1d755e3c55734e3a372d34f8ed1be73d
corporate/4.0/x86_64/postgresql-pltcl-8.1.10-0.1.20060mlcs4.x86_64.rpm
9f65beb9255b19140e6e3e27c9ee6f55
corporate/4.0/x86_64/postgresql-server-8.1.10-0.1.20060mlcs4.x86_64.rpm
f06a3c86c59c737d944bde1eaedae166
corporate/4.0/x86_64/postgresql-test-8.1.10-0.1.20060mlcs4.x86_64.rpm
6aa551b36336a70ce3cc58dc073a3485
corporate/4.0/SRPMS/postgresql-8.1.10-0.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFG+R9nmqjQ0CJFipgRAjkrAJ4rLVY2zOlBYaHYlYGaOb3P/tr99QCgw7+v
3mptByzoXB2Nsufxf1Onuf8=
=p4xq
-----END PGP SIGNATURE-----