openSUSE Security Update: postgresql: security update to fix four vulnerabilities ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:0371-1 Rating: moderate References: #588996 #605845 #605926 #607778 Cross-References: CVE-2010-0733 CVE-2010-1169 CVE-2010-1170 CVE-2010-1975 Affected Products: openSUSE 11.2 openSUSE 11.1 openSUSE 11.0 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes two new package versions. Description: This update of postgresql was pblished to fix several minor security vulnerabilities: - CVE-2010-1975: postgresql does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings. - CVE-2010-1170: The PL/Tcl implementation in postgresql loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code. - CVE-2010-1169: Postgresql does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script. - CVE-2010-0733: An integer overflow in postgresql allows remote authenticated users to crash the daemon via a SELECT statement. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.2: zypper in -t patch postgresql-2472 - openSUSE 11.1: zypper in -t patch postgresql-2472 - openSUSE 11.0: zypper in -t patch postgresql-2472 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.2 (i586 src x86_64) [New Version: 8.4.4]: postgresql-8.4.4-0.1.1 - openSUSE 11.2 (i586 x86_64) [New Version: 8.4.4]: postgresql-contrib-8.4.4-0.1.1 postgresql-devel-8.4.4-0.1.1 postgresql-docs-8.4.4-0.1.1 postgresql-libs-8.4.4-0.1.1 postgresql-plperl-8.4.4-0.1.1 postgresql-plpython-8.4.4-0.1.1 postgresql-pltcl-8.4.4-0.1.1 postgresql-server-8.4.4-0.1.1 - openSUSE 11.2 (x86_64) [New Version: 8.4.4]: postgresql-libs-32bit-8.4.4-0.1.1 - openSUSE 11.1 (i586 ppc src x86_64) [New Version: 8.3.11]: postgresql-8.3.11-0.1.1 - openSUSE 11.1 (i586 ppc x86_64) [New Version: 8.3.11]: postgresql-contrib-8.3.11-0.1.1 postgresql-devel-8.3.11-0.1.1 postgresql-docs-8.3.11-0.1.1 postgresql-libs-8.3.11-0.1.1 postgresql-plperl-8.3.11-0.1.1 postgresql-plpython-8.3.11-0.1.1 postgresql-pltcl-8.3.11-0.1.1 postgresql-server-8.3.11-0.1.1 - openSUSE 11.1 (x86_64) [New Version: 8.3.11]: postgresql-libs-32bit-8.3.11-0.1.1 - openSUSE 11.1 (ppc) [New Version: 8.3.11]: postgresql-libs-64bit-8.3.11-0.1.1 - openSUSE 11.0 (i586 ppc ppc64 src x86_64) [New Version: 8.3.11]: postgresql-8.3.11-0.1 - openSUSE 11.0 (i586 ppc x86_64) [New Version: 8.3.11]: postgresql-contrib-8.3.11-0.1 postgresql-devel-8.3.11-0.1 postgresql-docs-8.3.11-0.1 postgresql-libs-8.3.11-0.1 postgresql-plperl-8.3.11-0.1 postgresql-plpython-8.3.11-0.1 postgresql-pltcl-8.3.11-0.1 postgresql-server-8.3.11-0.1 - openSUSE 11.0 (x86_64) [New Version: 8.3.11]: postgresql-libs-32bit-8.3.11-0.1 - openSUSE 11.0 (ppc) [New Version: 8.3.11]: postgresql-libs-64bit-8.3.11-0.1 References: http://support.novell.com/security/cve/CVE-2010-0733.html http://support.novell.com/security/cve/CVE-2010-1169.html http://support.novell.com/security/cve/CVE-2010-1170.html http://support.novell.com/security/cve/CVE-2010-1975.html https://bugzilla.novell.com/588996 https://bugzilla.novell.com/605845 https://bugzilla.novell.com/605926 https://bugzilla.novell.com/607778