Summary: | <dev-db/postgresql-{base,server,docs}-{8.3.19,8.4.12,9.0.8,9.1.4}: Multiple Vulnerabilities (CVE-2012-{2143,2655}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Patrick Lauer <patrick> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | esigra, pgsql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.postgresql.org/about/news/1398/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 431766 | ||
Bug Blocks: |
Description
Patrick Lauer
2012-06-05 08:38:53 UTC
+ + 05 Jun 2012; Patrick Lauer <patrick@gentoo.org> + +postgresql-server-8.3.19.ebuild, +postgresql-server-8.4.12.ebuild, + +postgresql-server-9.0.8.ebuild, +postgresql-server-9.1.4.ebuild: + Bump for #419727 ebuilds are there, suggest the usual stabling. Thanks, Patrick. Arches, please test and mark stable: =dev-db/postgresql-base-8.3.19 =dev-db/postgresql-server-8.3.19 =dev-db/postgresql-docs-8.3.19 =dev-db/postgresql-base-8.4.12 =dev-db/postgresql-server-8.4.12 =dev-db/postgresql-docs-8.4.12 =dev-db/postgresql-base-9.0.7 =dev-db/postgresql-server-9.0.7 =dev-db/postgresql-docs-9.0.7 =dev-db/postgresql-base-9.1.3 =dev-db/postgresql-server-9.1.3 =dev-db/postgresql-docs-9.1.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" amd64 stable Stable for HPPA. ppc64 done x86 stable (9.0.8 and 9.1.4 instead of 9.0.7 and 9.1.3 from comment #2), thanks. arm stable alpha/arm/ia64/s390/sh/sparc stable CVE-2012-2143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143): The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. CVE-2012-2655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2655): PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler. Moving to [glsa]. PPC, please stabilize the newer versions from bug 431766 instead. Affected versions no longer in tree. This issue was resolved and addressed in GLSA 201209-24 at http://security.gentoo.org/glsa/glsa-201209-24.xml by GLSA coordinator Sean Amoss (ackle). |