Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 284274 (CVE-2009-3229) - dev-db/postgresql: PostgreSQL security updates fix multiple vulnerabilities (CVE-2009-{3229,3230,3231})
Summary: dev-db/postgresql: PostgreSQL security updates fix multiple vulnerabilities (...
Status: RESOLVED FIXED
Alias: CVE-2009-3229
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.postgresql.org/support/sec...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-09 16:28 UTC by Bernd Marienfeldt
Modified: 2011-10-25 07:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bernd Marienfeldt 2009-09-09 16:28:59 UTC 
Latest fixed version are:

8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22 and 7.4.26.
See also upstream: http://www.postgresql.org/ftp/source/

Reproducible: Always
Comment 1 Patrick Lauer gentoo-dev 2009-09-09 22:58:47 UTC 
8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22 are in

7.4.26 needs some autotools love for bump and is close to EOL upstream.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-18 14:29:14 UTC 
CVE-2009-3229 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3229):
  The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
  8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to
  cause a denial of service (backend shutdown) by "re-LOAD-ing"
  libraries from a certain plugins directory.

CVE-2009-3230 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3230):
  The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
  8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and
  7.4 before 7.4.26 does not use the appropriate privileges for the (1)
  RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which
  allows remote authenticated users to gain privileges.  NOTE: this is
  due to an incomplete fix for CVE-2007-6600.

CVE-2009-3231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3231):
  The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2
  before 8.2.14, when using LDAP authentication with anonymous binds,
  allows remote attackers to bypass authentication via an empty
  password.
Comment 3 Patrick Lauer gentoo-dev 2009-10-03 16:28:47 UTC 
7.4.26 also commited. All slots have new enough versions available.
Comment 4 Patrick Lauer gentoo-dev 2009-11-05 21:36:02 UTC 
Ok, this was a bit confusing.

Since we intended to mask dev-db/libpq and dev-db/postgresql I focussed on dev-db/postgresql-{base,server}. Those have had new enough versions now.

Because the keywording was slowed down I've bumped libpq and postgresql now.
So both sets of packages should have new enough versions. Sorry for the delay.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-15 08:02:57 UTC 
(In reply to comment #4)
> Ok, this was a bit confusing.
> 
> Since we intended to mask dev-db/libpq and dev-db/postgresql I focussed on
> dev-db/postgresql-{base,server}. Those have had new enough versions now.
> 
> Because the keywording was slowed down I've bumped libpq and postgresql now.
> So both sets of packages should have new enough versions. Sorry for the delay.

 There is a stabilisation bug open in bug 285475 which is blocking other stabilisations, because of some issues.  The bug has patches attached, maybe they should be incorporated.
Comment 6 Patrick Lauer gentoo-dev 2010-07-11 22:38:10 UTC 
dev-db/postgresql is now gone. Close bug?
Comment 7 Aaron W. Swenson gentoo-dev 2010-09-24 09:08:35 UTC 
This should be resolved along with bug 320967
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 07:51:00 UTC 
This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).