Description: Some vulnerabilities have been reported in PostgreSQL, which can be exploited by malicious users to gain knowledge of potentially sensitive information and cause a DoS (Denial of Service). 1) An unspecified error can be used to suppress certain checks, which ensure that SQL functions return the correct data type. This can be exploited to crash the database backend or disclose potentially sensitive information. 2) An unspecified error when changing the data type of a table column can be exploited to crash the database backend or disclose potentially sensitive information. Vulnerability #1 is reported in versions 8.0, 8.1, and 8.2. Vulnerability #2 is reported in 8.0, 8.1, 8.2, 7.3 and 7.4. Solution: Update to 8.2.2, 8.1.7, 8.0.11, 7.4.16, or 7.3.13. Reproducible: Didn't try http://www.postgresql.org/support/security
*** Bug 165562 has been marked as a duplicate of this bug. ***
Ooops, wait! :-) 8.1.7 and 8.2.2 are buggy, see http://archives.postgresql.org/pgsql-hackers/2007-02/msg00286.php
See update from Postgress Developer: http://archives.postgresql.org/pgsql-announce/2007-02/msg00008.php Kind regards
libpq and postgresql 7.3.18 have been committed to the tree.
(In reply to comment #4) > libpq and postgresql 7.3.18 have been committed to the tree. > Thanks, perfect. Hi arches, please test and mark stable if appropriate those ebuilds : libpq-7.3.18 postgresql-7.3.18 libpq-7.4.16 postgresql-7.4.16 libpq-8.0.12 postgresql-8.0.12
(In reply to comment #5) > libpq-7.3.18 > postgresql-7.3.18 > libpq-7.4.16 > postgresql-7.4.16 > >>> Unpacking postgresql-opt-7.3.18.tar.bz2 to /var/tmp/portage/dev-db/libpq-7.3.18/work * Applying libpq-7.3.18-gentoo.patch ... * Failed Patch: libpq-7.3.18-gentoo.patch ! * ( /usr/portage/dev-db/libpq/files/libpq-7.3.18-gentoo.patch ) Same occurs with 7.4.16.
The 7.3 and 7.4 problems are because I missed CVS keywords in the libpq patches for those versions. I've committed fixes for libpq-7.3 and 7.4, and I've verified none of the other ebuilds have that problem. Sorry for any confusion.
x86 stable
jep.. seems to work. ppc64 stable
sparc stable.
Stable for HPPA. As a side note, postgresql-7.3.18 failed the horology regression test whilst 7.4.16 did not. I did not test this for 8.0.12 within the scope of this bug.
(In reply to comment #11) > Stable for HPPA. As a side note, postgresql-7.3.18 failed the horology > regression test whilst 7.4.16 did not. I did not test this for 8.0.12 within > the scope of this bug. Found the source too: compare [1] and [2]. False alarm. [1] http://www.postgresql.org/docs/7.3/interactive/regress-platform.html [2] http://www.postgresql.org/docs/7.4/interactive/regress-platform.html
Stable on Alpha + IA64.
ppc stable
Hi amd64, there is something causing trouble?
(In reply to comment #15) > Hi amd64, there is something causing trouble? Nothing unusual. Stable on amd64.
voting no
mmm i don't know.... CVE-2007-0556 seems a little severe.
tend to vote yes here
another security member with interesting arguments? Otherwise i would say "yes" too. GLSA request filled.
GLSA 200701-15 sent but apprently, it never hit gentoo-announce@
GLSA 200703-15 seems to have finally reached g-announce. Closing then. Thanks to everybody