[opensuse-security] Re: [security-announce] openSUSE-SU-2013:0628-1: important: postgresql92: Various security fixes. Update to 9.2.4.
Sehr geehrte Damen und Herren, wegen eines Auslandsaufenthaltes kann ich die Nachricht vermutlich bis zum 4.4. nicht lesen. In dringenden Fällen stehe ich Ihnen unter +49 177 7902970 telefonisch zur Verfügung. Mit freundlichen Grüßen W. Lisiewicz ------------- Szanowni Państwo, z powodu pobytu za granicą nie będę prawdopodobnie mógł przeczytać Państwa wiadomości do dnia 4.4. W pilnych przypadkach jestem dostępny pod numerem telefonu +49 177 7902970. Pozdrawiam serdecznie W. Lisiewicz Am 05.04.2013 um 10:04 schrieb opensuse-security@opensuse.org:
openSUSE Security Update: postgresql92: Various security fixes. Update to 9.2.4. ______________________________________________________________________________
Announcement ID: openSUSE-SU-2013:0628-1 Rating: important References: #812525 Cross-References: CVE-2013-1899 CVE-2013-1900 CVE-2013-1901
Affected Products: openSUSE 12.3 ______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
postgresql was updated to version 9.2.4 (bnc#812525): * CVE-2013-1899: Fix insecure parsing of server command-line switches. A connection request containing a database name that begins with "-" could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. * CVE-2013-1900: Reset OpenSSL randomness state in each postmaster child process. This avoids a scenario wherein random numbers generated by "contrib/pgcrypto" functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. * CVE-2013-1901: Make REPLICATION privilege checks test current user not authenticated user. An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. * See the release notes for the rest of the changes: http://www.postgresql.org/docs/9.2/static/release-9-2-4.html /usr/share/doc/packages/postgresql92/HISTORY
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 12.3:
zypper in -t patch openSUSE-2013-306
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 12.3 (i586 x86_64):
postgresql92-9.2.4-1.4.1 postgresql92-contrib-9.2.4-1.4.1 postgresql92-contrib-debuginfo-9.2.4-1.4.1 postgresql92-debuginfo-9.2.4-1.4.1 postgresql92-debugsource-9.2.4-1.4.1 postgresql92-plperl-9.2.4-1.4.1 postgresql92-plperl-debuginfo-9.2.4-1.4.1 postgresql92-plpython-9.2.4-1.4.1 postgresql92-plpython-debuginfo-9.2.4-1.4.1 postgresql92-pltcl-9.2.4-1.4.1 postgresql92-pltcl-debuginfo-9.2.4-1.4.1 postgresql92-server-9.2.4-1.4.1 postgresql92-server-debuginfo-9.2.4-1.4.1
- openSUSE 12.3 (noarch):
postgresql92-docs-9.2.4-1.4.1
References:
http://support.novell.com/security/cve/CVE-2013-1899.html http://support.novell.com/security/cve/CVE-2013-1900.html http://support.novell.com/security/cve/CVE-2013-1901.html https://bugzilla.novell.com/812525
-- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (1)
-
Wojciech Lisiewicz