<<< Date Index >>>     <<< Thread Index >>>

[ MDKSA-2007:188 ] - Updated postgresql packages prevent access abuse using dblink



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:188
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : postgresql
 Date    : September 25, 2007
 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________
 
 Problem Description:
 
 PostgreSQL 8.1 and probably later and earlier versions, when local
 trust authentication is enabled and the Database Link library (dblink)
 is installed, allows remote attackers to access arbitrary accounts
 and execute arbitrary SQL queries via a dblink host parameter that
 proxies the connection from 127.0.0.1. (CVE-2007-3278)
 
 PostgreSQL 8.1 and probably later and earlier versions, when the
 PL/pgSQL (plpgsql) language has been created, grants certain plpgsql
 privileges to the PUBLIC domain, which allows remote attackers
 to create and execute functions, as demonstrated by functions that
 perform local brute-force password guessing attacks, which may evade
 intrusion detection. (CVE-2007-3279)
 
 The Database Link library (dblink) in PostgreSQL 8.1 implements
 functions via CREATE statements that map to arbitrary libraries based
 on the C programming language, which allows remote authenticated
 superusers to map and execute a function from any library, as
 demonstrated by using the system function in libc.so.6 to gain shell
 access. (CVE-2007-3280)
 
 Updated packages fix these issues, by requiring non-superusers who
 use /contrib/dblink to use only password authentication.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3278
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3279
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3280
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 8e0e2cff4bbda7444671086bd7e0430b  
2007.0/i586/libecpg5-8.1.10-0.1mdv2007.0.i586.rpm
 3be5df4380e5680c3a2adc9ba74543fb  
2007.0/i586/libecpg5-devel-8.1.10-0.1mdv2007.0.i586.rpm
 59594d2f05d4f23a467b2bd684bc0fa3  
2007.0/i586/libpq4-8.1.10-0.1mdv2007.0.i586.rpm
 aba27ad1b97f86debfd63b1ae76558a9  
2007.0/i586/libpq4-devel-8.1.10-0.1mdv2007.0.i586.rpm
 dc4bc45a46d1b69cf13991d70d7d0c71  
2007.0/i586/postgresql-8.1.10-0.1mdv2007.0.i586.rpm
 7a487ba0458f09c21b941f1a76f74357  
2007.0/i586/postgresql-contrib-8.1.10-0.1mdv2007.0.i586.rpm
 08a4a0ba67e4c83c43931e61983348ca  
2007.0/i586/postgresql-devel-8.1.10-0.1mdv2007.0.i586.rpm
 1c02f6136ace73a51ea365c77f28ea6a  
2007.0/i586/postgresql-docs-8.1.10-0.1mdv2007.0.i586.rpm
 a13c547f110fa39ed62a843526f70e8e  
2007.0/i586/postgresql-pl-8.1.10-0.1mdv2007.0.i586.rpm
 305884f17ccaee34ee2ac3d2dc1c8170  
2007.0/i586/postgresql-plperl-8.1.10-0.1mdv2007.0.i586.rpm
 cc34a8f0e4bef8d6a0adddc54c3d8f2c  
2007.0/i586/postgresql-plpgsql-8.1.10-0.1mdv2007.0.i586.rpm
 43d8bf8f3613e038441551cb1662eb8d  
2007.0/i586/postgresql-plpython-8.1.10-0.1mdv2007.0.i586.rpm
 770b9fc3031c9b97aa0ca8d2ac669e6c  
2007.0/i586/postgresql-pltcl-8.1.10-0.1mdv2007.0.i586.rpm
 f5a0af71805f7c430696cbbb03ad922f  
2007.0/i586/postgresql-server-8.1.10-0.1mdv2007.0.i586.rpm
 1e043a882b3d9d445414dabebb96fcf4  
2007.0/i586/postgresql-test-8.1.10-0.1mdv2007.0.i586.rpm 
 be22e5ac6dd504511798d4caa3c3f1df  
2007.0/SRPMS/postgresql-8.1.10-0.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 3dab8c951c0944e1bc3a00d4ca64d32e  
2007.0/x86_64/lib64ecpg5-8.1.10-0.1mdv2007.0.x86_64.rpm
 1d6c86c2593873bf9c4adc4745d3abc2  
2007.0/x86_64/lib64ecpg5-devel-8.1.10-0.1mdv2007.0.x86_64.rpm
 3141c891ff439c458803cd258fc4479b  
2007.0/x86_64/lib64pq4-8.1.10-0.1mdv2007.0.x86_64.rpm
 9a30293d6761c4b2b1f2a2e8b284f0ff  
2007.0/x86_64/lib64pq4-devel-8.1.10-0.1mdv2007.0.x86_64.rpm
 25006369de4abf770fc7a516a762a897  
2007.0/x86_64/postgresql-8.1.10-0.1mdv2007.0.x86_64.rpm
 5ce4bad8022fc65eb7d1db9d53f32551  
2007.0/x86_64/postgresql-contrib-8.1.10-0.1mdv2007.0.x86_64.rpm
 03a29dc13f4f556d8df0dcaa07c4766d  
2007.0/x86_64/postgresql-devel-8.1.10-0.1mdv2007.0.x86_64.rpm
 89ba6a9c0c747108df0209167150c02f  
2007.0/x86_64/postgresql-docs-8.1.10-0.1mdv2007.0.x86_64.rpm
 a723d7449913d52fca2030d0e63ca182  
2007.0/x86_64/postgresql-pl-8.1.10-0.1mdv2007.0.x86_64.rpm
 827c1b0092c8b86b6631d16eb30b904e  
2007.0/x86_64/postgresql-plperl-8.1.10-0.1mdv2007.0.x86_64.rpm
 b2c9eda89df39db40ec55d7a383b15b5  
2007.0/x86_64/postgresql-plpgsql-8.1.10-0.1mdv2007.0.x86_64.rpm
 25ea855473edb7ef6c9dc372957c2277  
2007.0/x86_64/postgresql-plpython-8.1.10-0.1mdv2007.0.x86_64.rpm
 23ae5b09b00e0b8518f1ada8163d57a0  
2007.0/x86_64/postgresql-pltcl-8.1.10-0.1mdv2007.0.x86_64.rpm
 464d1f64bdb2b0f16c6be7b56c71b346  
2007.0/x86_64/postgresql-server-8.1.10-0.1mdv2007.0.x86_64.rpm
 900cfbe6d3adac1711779b21b3dd4100  
2007.0/x86_64/postgresql-test-8.1.10-0.1mdv2007.0.x86_64.rpm 
 be22e5ac6dd504511798d4caa3c3f1df  
2007.0/SRPMS/postgresql-8.1.10-0.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 28b4b8a53e1dc0117441630c75e8c4ae  
2007.1/i586/libecpg5-8.2.5-0.1mdv2007.1.i586.rpm
 697b841fa6fcf2fe92e5509ed9b262a3  
2007.1/i586/libecpg5-devel-8.2.5-0.1mdv2007.1.i586.rpm
 5c6d7bd957121c443fe31562f9fe6261  
2007.1/i586/libpq5-8.2.5-0.1mdv2007.1.i586.rpm
 be14414b10e8ca06c576090cc802de26  
2007.1/i586/libpq5-devel-8.2.5-0.1mdv2007.1.i586.rpm
 00baebc695b0d791aacbb0fe1c08e0ad  
2007.1/i586/postgresql-8.2.5-0.1mdv2007.1.i586.rpm
 97c538ee913a520f429b4581013edc3e  
2007.1/i586/postgresql-contrib-8.2.5-0.1mdv2007.1.i586.rpm
 b9daafeed274fd9ddb1bd4fdadf03f3f  
2007.1/i586/postgresql-devel-8.2.5-0.1mdv2007.1.i586.rpm
 75da06b542bbea1f4278a4ba8c5f46bb  
2007.1/i586/postgresql-docs-8.2.5-0.1mdv2007.1.i586.rpm
 89dfcbe1690c2f4e5917b81c17205d10  
2007.1/i586/postgresql-pl-8.2.5-0.1mdv2007.1.i586.rpm
 72ef35d3c36a7f7850dab8f095980e44  
2007.1/i586/postgresql-plperl-8.2.5-0.1mdv2007.1.i586.rpm
 6b3e178ac649527dfcb3adfbbbfbe44e  
2007.1/i586/postgresql-plpgsql-8.2.5-0.1mdv2007.1.i586.rpm
 c6066550b12d0cd826d16ad57151d323  
2007.1/i586/postgresql-plpython-8.2.5-0.1mdv2007.1.i586.rpm
 cb6f37ca6ff51f09dba6f1668af9d594  
2007.1/i586/postgresql-pltcl-8.2.5-0.1mdv2007.1.i586.rpm
 63e6b9fe073410b34165ddf147ed6011  
2007.1/i586/postgresql-server-8.2.5-0.1mdv2007.1.i586.rpm
 982a89aee68c2fe2a4528f7a53443a23  
2007.1/i586/postgresql-test-8.2.5-0.1mdv2007.1.i586.rpm 
 b8b3ac22c8f39026cfcade15cc2aea94  
2007.1/SRPMS/postgresql-8.2.5-0.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 1d5111ef660b6fb5247839ba75fc37a3  
2007.1/x86_64/lib64ecpg5-8.2.5-0.1mdv2007.1.x86_64.rpm
 d365d0cf979e1c2632e144ba2ff051a5  
2007.1/x86_64/lib64ecpg5-devel-8.2.5-0.1mdv2007.1.x86_64.rpm
 bcb2d08186934a70a8088ad7b26348ff  
2007.1/x86_64/lib64pq5-8.2.5-0.1mdv2007.1.x86_64.rpm
 687c54dd685832e3458f4474ba329659  
2007.1/x86_64/lib64pq5-devel-8.2.5-0.1mdv2007.1.x86_64.rpm
 d7ea11ad9524fdab20225117b20f2717  
2007.1/x86_64/postgresql-8.2.5-0.1mdv2007.1.x86_64.rpm
 1a2e68d503b6903bd2f4934ea768f055  
2007.1/x86_64/postgresql-contrib-8.2.5-0.1mdv2007.1.x86_64.rpm
 d877344b20f92228f8021985fa69ab21  
2007.1/x86_64/postgresql-devel-8.2.5-0.1mdv2007.1.x86_64.rpm
 757f20c5feecec4087bf006b8cdba0b3  
2007.1/x86_64/postgresql-docs-8.2.5-0.1mdv2007.1.x86_64.rpm
 59b65c9035d55e44c28ee37d6b449646  
2007.1/x86_64/postgresql-pl-8.2.5-0.1mdv2007.1.x86_64.rpm
 30b2a348faafbf1a1772427207cbd162  
2007.1/x86_64/postgresql-plperl-8.2.5-0.1mdv2007.1.x86_64.rpm
 18a270c6a3cf0c8e6135c7d1c19a2328  
2007.1/x86_64/postgresql-plpgsql-8.2.5-0.1mdv2007.1.x86_64.rpm
 a75d1de15ff8bb8b888d8d843a3f3f55  
2007.1/x86_64/postgresql-plpython-8.2.5-0.1mdv2007.1.x86_64.rpm
 9b6aaeda052fbc274de087987e8681c8  
2007.1/x86_64/postgresql-pltcl-8.2.5-0.1mdv2007.1.x86_64.rpm
 8ad62e7c5319a0e2c5b5079512dca7b9  
2007.1/x86_64/postgresql-server-8.2.5-0.1mdv2007.1.x86_64.rpm
 b5409350a8877578ab54ae4a0e7f61cd  
2007.1/x86_64/postgresql-test-8.2.5-0.1mdv2007.1.x86_64.rpm 
 b8b3ac22c8f39026cfcade15cc2aea94  
2007.1/SRPMS/postgresql-8.2.5-0.1mdv2007.1.src.rpm

 Corporate 3.0:
 588715bb0163718873938ff86f1d4202  
corporate/3.0/i586/libecpg3-7.4.18-0.1.C30mdk.i586.rpm
 928ab48c3f7617f757644bcacc034710  
corporate/3.0/i586/libecpg3-devel-7.4.18-0.1.C30mdk.i586.rpm
 72f7fd9f4d05c667070052446017f6bc  
corporate/3.0/i586/libpgtcl2-7.4.18-0.1.C30mdk.i586.rpm
 290f3c248453b5b6fd1117be7e1ab747  
corporate/3.0/i586/libpgtcl2-devel-7.4.18-0.1.C30mdk.i586.rpm
 aaa399732adf2e6fa080135de4fc1862  
corporate/3.0/i586/libpq3-7.4.18-0.1.C30mdk.i586.rpm
 fe8fbed859473f11ba528a55f58e9d46  
corporate/3.0/i586/libpq3-devel-7.4.18-0.1.C30mdk.i586.rpm
 5061808637e3c371f9736055af4aa037  
corporate/3.0/i586/postgresql-7.4.18-0.1.C30mdk.i586.rpm
 fcd466fade3f59c11c5b557280f10797  
corporate/3.0/i586/postgresql-contrib-7.4.18-0.1.C30mdk.i586.rpm
 ed805cb294ec49aa896fb0c74cd4c963  
corporate/3.0/i586/postgresql-devel-7.4.18-0.1.C30mdk.i586.rpm
 960a6ec9df468b8a4246439d81e1f83f  
corporate/3.0/i586/postgresql-docs-7.4.18-0.1.C30mdk.i586.rpm
 abf0aadc29a47561556e0b3989cef2ce  
corporate/3.0/i586/postgresql-jdbc-7.4.18-0.1.C30mdk.i586.rpm
 cb8a2fd57dd82f5ccb38cf01e75297d9  
corporate/3.0/i586/postgresql-pl-7.4.18-0.1.C30mdk.i586.rpm
 aa32657f105fe2a691ff96bcc4ba741e  
corporate/3.0/i586/postgresql-server-7.4.18-0.1.C30mdk.i586.rpm
 2fdb9a752cf31d82ebb00df0588130c6  
corporate/3.0/i586/postgresql-tcl-7.4.18-0.1.C30mdk.i586.rpm
 fe46f24547fa10573306933033926061  
corporate/3.0/i586/postgresql-test-7.4.18-0.1.C30mdk.i586.rpm 
 180401c4053b1517946e5f30d58b9d4b  
corporate/3.0/SRPMS/postgresql-7.4.18-0.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 81c7148e224774ff1d0af00d70cbf3dd  
corporate/3.0/x86_64/lib64ecpg3-7.4.18-0.1.C30mdk.x86_64.rpm
 bb141143be18ef10210753b1d938056d  
corporate/3.0/x86_64/lib64ecpg3-devel-7.4.18-0.1.C30mdk.x86_64.rpm
 c7699ded100b384d7700c9036a89bae8  
corporate/3.0/x86_64/lib64pgtcl2-7.4.18-0.1.C30mdk.x86_64.rpm
 2295fb70c32eda4c04d06526a09abfd4  
corporate/3.0/x86_64/lib64pgtcl2-devel-7.4.18-0.1.C30mdk.x86_64.rpm
 db97ceb3194087a390ddb03c69b30c8a  
corporate/3.0/x86_64/lib64pq3-7.4.18-0.1.C30mdk.x86_64.rpm
 41b623e7e1a24deb6d31a03082577556  
corporate/3.0/x86_64/lib64pq3-devel-7.4.18-0.1.C30mdk.x86_64.rpm
 39f0e5df87ebb9539ec42cee909a8645  
corporate/3.0/x86_64/postgresql-7.4.18-0.1.C30mdk.x86_64.rpm
 48469cd980bbc2d29ec6eb3a45bc77bb  
corporate/3.0/x86_64/postgresql-contrib-7.4.18-0.1.C30mdk.x86_64.rpm
 4b2bd788cba6e39b223e0452ccefb102  
corporate/3.0/x86_64/postgresql-devel-7.4.18-0.1.C30mdk.x86_64.rpm
 a64df12801fc2a4bda8d7c8e5834a436  
corporate/3.0/x86_64/postgresql-docs-7.4.18-0.1.C30mdk.x86_64.rpm
 5922318852bd8de043ba30cd55e7fe29  
corporate/3.0/x86_64/postgresql-jdbc-7.4.18-0.1.C30mdk.x86_64.rpm
 832eebcd9ab3c06b9473f2d3289dc05c  
corporate/3.0/x86_64/postgresql-pl-7.4.18-0.1.C30mdk.x86_64.rpm
 02510d7e598d40f25dd6c610d1546027  
corporate/3.0/x86_64/postgresql-server-7.4.18-0.1.C30mdk.x86_64.rpm
 c9ce6d529054cd8b21a92b03dbc0896b  
corporate/3.0/x86_64/postgresql-tcl-7.4.18-0.1.C30mdk.x86_64.rpm
 04a0e3f49d4f91935132a20bccdffeb3  
corporate/3.0/x86_64/postgresql-test-7.4.18-0.1.C30mdk.x86_64.rpm 
 180401c4053b1517946e5f30d58b9d4b  
corporate/3.0/SRPMS/postgresql-7.4.18-0.1.C30mdk.src.rpm

 Corporate 4.0:
 0f2321b2bc99ed8aee6aecdb49ab33df  
corporate/4.0/i586/libecpg5-8.1.10-0.1.20060mlcs4.i586.rpm
 e23d1d0fa713e09f66feaf0e1ad751c0  
corporate/4.0/i586/libecpg5-devel-8.1.10-0.1.20060mlcs4.i586.rpm
 b8765e2b0650d2e71aec83652d2a4e7c  
corporate/4.0/i586/libpq4-8.1.10-0.1.20060mlcs4.i586.rpm
 8cd02f43142df2ffe865d694332ec01f  
corporate/4.0/i586/libpq4-devel-8.1.10-0.1.20060mlcs4.i586.rpm
 5c02374f4b80d8abfb5f03d4bc108c08  
corporate/4.0/i586/postgresql-8.1.10-0.1.20060mlcs4.i586.rpm
 6c51a1332a49afb9a5645255f059aca6  
corporate/4.0/i586/postgresql-contrib-8.1.10-0.1.20060mlcs4.i586.rpm
 72e90c47c7fda06bc9dedce429848acc  
corporate/4.0/i586/postgresql-devel-8.1.10-0.1.20060mlcs4.i586.rpm
 1b31a1a48b6b1fba2244517a2a789992  
corporate/4.0/i586/postgresql-docs-8.1.10-0.1.20060mlcs4.i586.rpm
 08425c9962e55546592c03a28fa3177b  
corporate/4.0/i586/postgresql-pl-8.1.10-0.1.20060mlcs4.i586.rpm
 b2888a0453e8a6d9914fb09bb2ae4c30  
corporate/4.0/i586/postgresql-plperl-8.1.10-0.1.20060mlcs4.i586.rpm
 7f1fa8b30628ed65bdc7e01fa287dcfd  
corporate/4.0/i586/postgresql-plpgsql-8.1.10-0.1.20060mlcs4.i586.rpm
 f077a91da95c35725f167dd0f9033376  
corporate/4.0/i586/postgresql-plpython-8.1.10-0.1.20060mlcs4.i586.rpm
 d4f4a70065a40b0e036d9adc63dfdb30  
corporate/4.0/i586/postgresql-pltcl-8.1.10-0.1.20060mlcs4.i586.rpm
 54cf91740d33e33e6d1a0a05212884d1  
corporate/4.0/i586/postgresql-server-8.1.10-0.1.20060mlcs4.i586.rpm
 1ec216cc5f3dcc15796e0b70523840c5  
corporate/4.0/i586/postgresql-test-8.1.10-0.1.20060mlcs4.i586.rpm 
 6aa551b36336a70ce3cc58dc073a3485  
corporate/4.0/SRPMS/postgresql-8.1.10-0.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 50e3eefd32275cf5b651417cbc4216a1  
corporate/4.0/x86_64/lib64ecpg5-8.1.10-0.1.20060mlcs4.x86_64.rpm
 9d795789cc60f424e39d10a9a627fab6  
corporate/4.0/x86_64/lib64ecpg5-devel-8.1.10-0.1.20060mlcs4.x86_64.rpm
 7bc3a22a9a1c8b179223f8f300652539  
corporate/4.0/x86_64/lib64pq4-8.1.10-0.1.20060mlcs4.x86_64.rpm
 b4f5279bc1c028e9633ff3ae69df2e98  
corporate/4.0/x86_64/lib64pq4-devel-8.1.10-0.1.20060mlcs4.x86_64.rpm
 135f2583ebba8c937ef65e94cfff4b46  
corporate/4.0/x86_64/postgresql-8.1.10-0.1.20060mlcs4.x86_64.rpm
 b29df3a033c4f80d93166c4e075a73dc  
corporate/4.0/x86_64/postgresql-contrib-8.1.10-0.1.20060mlcs4.x86_64.rpm
 c46e540ca5e063b53feb63e06f438f66  
corporate/4.0/x86_64/postgresql-devel-8.1.10-0.1.20060mlcs4.x86_64.rpm
 49a645929b23b095d68b1343d33ed584  
corporate/4.0/x86_64/postgresql-docs-8.1.10-0.1.20060mlcs4.x86_64.rpm
 0bc2d6034bbdf336283afd735c141987  
corporate/4.0/x86_64/postgresql-pl-8.1.10-0.1.20060mlcs4.x86_64.rpm
 7ed1208bb18735772c6cecd5c005c635  
corporate/4.0/x86_64/postgresql-plperl-8.1.10-0.1.20060mlcs4.x86_64.rpm
 b1fe1e0863f0f7a7231146b7707b18d5  
corporate/4.0/x86_64/postgresql-plpgsql-8.1.10-0.1.20060mlcs4.x86_64.rpm
 76223a8ac834672a08f8005890ac3b89  
corporate/4.0/x86_64/postgresql-plpython-8.1.10-0.1.20060mlcs4.x86_64.rpm
 1d755e3c55734e3a372d34f8ed1be73d  
corporate/4.0/x86_64/postgresql-pltcl-8.1.10-0.1.20060mlcs4.x86_64.rpm
 9f65beb9255b19140e6e3e27c9ee6f55  
corporate/4.0/x86_64/postgresql-server-8.1.10-0.1.20060mlcs4.x86_64.rpm
 f06a3c86c59c737d944bde1eaedae166  
corporate/4.0/x86_64/postgresql-test-8.1.10-0.1.20060mlcs4.x86_64.rpm 
 6aa551b36336a70ce3cc58dc073a3485  
corporate/4.0/SRPMS/postgresql-8.1.10-0.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG+R9nmqjQ0CJFipgRAjkrAJ4rLVY2zOlBYaHYlYGaOb3P/tr99QCgw7+v
3mptByzoXB2Nsufxf1Onuf8=
=p4xq
-----END PGP SIGNATURE-----