—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2009-0922 – Schwachstelle in PostgreSQL
In PostgreSQL kann ein Versagen der Umwandlung lokalisierter
Fehlermeldungen in eine Client-spezifische Codierung ausgeloest
werden. Ein entfernter Angreifer mit gueltigen Benutzeraccount kann
diese Schwachstelle ausnutzen um durch Ausschoepfen des Stack einen
Absturz (Denial of Service) herbeizufuehren.
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket postgresql
Fedora 9
Fedora 10
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00843.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00810.html
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Detlev O. Matthies
– —
Detlev O. Matthies, M.Sc. (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
– ——————————————————————————–
Fedora Update Notification
FEDORA-2009-2959
2009-03-23 15:16:59
– ——————————————————————————–
Name : postgresql
Product : Fedora 10
Version : 8.3.7
Release : 1.fc10
URL : http://www.postgresql.org/
Summary : PostgreSQL client programs and libraries
Description :
PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions). The
postgresql package includes the client programs and libraries that
you’ll need to access a PostgreSQL DBMS server. These PostgreSQL
client programs are programs that directly manipulate the internal
structure of PostgreSQL databases on a PostgreSQL server. These client
programs can be located on the same machine with the PostgreSQL
server, or may be on a remote machine which accesses a PostgreSQL
server over a network connection. This package contains the docs
in HTML for the whole package, as well as command-line utilities for
managing PostgreSQL databases on a PostgreSQL server.
If you want to manipulate a PostgreSQL database on a remote PostgreSQL
server, you need this package. You also need to install this package
if you’re installing the postgresql-server package.
– ——————————————————————————–
Update Information:
Update to PostgreSQL 8.3.7, for various fixes described at
http://www.postgresql.org/docs/8.3/static/release-8-3-7.html
– ——————————————————————————–
ChangeLog:
* Sat Mar 21 2009 Tom Lane
– – Update to PostgreSQL 8.3.7, for various fixes described at
http://www.postgresql.org/docs/8.3/static/release-8-3-7.html
notably the fix for CVE-2009-0922
* Mon Mar 9 2009 Oliver Falk
– – Use -O1 on alpha, as on sparc64
– – Renable selftests on alpha again
* Sat Feb 7 2009 Tom Lane
– – Update to PostgreSQL 8.3.6, for various fixes described at
http://www.postgresql.org/docs/8.3/static/release-8-3-6.html
* Wed Jan 21 2009 Dennis Gilmore
– – use -O1 on sparc64
* Sun Nov 2 2008 Tom Lane
– – Update to PostgreSQL 8.3.5.
– – Improve display from init script’s initdb action, per Michael Schwendt
– ——————————————————————————–
References:
[ 1 ] Bug #488156 – CVE-2009-0922 postgresql: potential DoS due to conversion functions
https://bugzilla.redhat.com/show_bug.cgi?id=488156
– ——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update postgresql’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
– ——————————————————————————–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFJyNv9k0kIxZMiiQ8RAi8/AJ41mNF0PKtmvDxx+Rso5QC8hNwzdACgkEpP
/T/0ZDzpMAww18ycduXJlgo=
=HSa/
—–END PGP SIGNATURE—–
