Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 297383 (CVE-2009-4034) - dev-db/postgresql* multiple vulnerabilities (CVE-2009-{4034,4136})
Summary: dev-db/postgresql* multiple vulnerabilities (CVE-2009-{4034,4136})
Status: RESOLVED FIXED
Alias: CVE-2009-4034
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.postgresql.org/docs/curren...
Whiteboard: B3 [glsa]
Keywords:
Depends on: CVE-2010-1169
Blocks:
  Show dependency tree
 
Reported: 2009-12-18 02:13 UTC by Stefan Behte (RETIRED)
Modified: 2011-10-25 07:51 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:13:32 UTC
CVE-2009-4034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4034):
  PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before
  8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before
  8.4.2 does not properly handle a '\0' character in a domain name in
  the subject's Common Name (CN) field of an X.509 certificate, which
  (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
  PostgreSQL servers via a crafted server certificate issued by a
  legitimate Certification Authority, and (2) allows remote attackers
  to bypass intended client-hostname restrictions via a crafted client
  certificate issued by a legitimate Certification Authority, a related
  issue to CVE-2009-2408.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:22:31 UTC
CVE-2009-4136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4136):
  PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before
  8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before
  8.4.2 does not properly manage session-local state during execution
  of an index function by a database superuser, which allows remote
  authenticated users to gain privileges via a table with crafted index
  functions, as demonstrated by functions that modify (1) search_path
  or (2) a prepared statement, a related issue to CVE-2007-6600 and
  CVE-2009-3230.

Comment 2 Patrick Lauer gentoo-dev 2010-01-06 23:36:40 UTC
All ebuilds except for 7.4.27 are in-tree. (That one fails on autotools thingies again) 

Comment 3 Patrick Lauer gentoo-dev 2010-01-07 00:49:59 UTC
7.4.27 committed, so all ebuilds are available.
Comment 4 Alexander Hoogerhuis 2010-01-18 00:19:47 UTC
There seems to be no 8.1.19 ebuild avaialble?
Comment 5 Patrick Lauer gentoo-dev 2010-01-26 20:34:21 UTC
(In reply to comment #4)
> There seems to be no 8.1.19 ebuild avaialble?
> 
There is.
Comment 6 Alexander Hoogerhuis 2010-01-26 23:11:58 UTC
I did emerge --sync just now and have these two 8.1 series:

postgresql-8.1.11.ebuild
postgresql-8.1.18.ebuild

Nothing else matching *8.1.*
Comment 7 Aaron W. Swenson gentoo-dev 2010-03-01 08:38:31 UTC
(In reply to comment #6)
> I did emerge --sync just now and have these two 8.1 series:
> 
> postgresql-8.1.11.ebuild
> postgresql-8.1.18.ebuild
> 
> Nothing else matching *8.1.*
> 

Can confirm 8.1.19 is there.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:50:44 UTC
Vote: NO.
Comment 9 Alexander Hoogerhuis 2010-03-06 15:54:06 UTC
Either I'm completely missing the point here, or something else is up a creek.

I've had a look around on about 10 different machines, all nicely sync'ed up as recently as a few days back, and there is *no* 8.1.19 in the /usr/portage/dev-db/postgresql directory.


Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:18:32 UTC
I got:

* dev-db/postgresql-server
     Available versions:  
	(7.3)	7.3.21
	(7.4)	7.4.26 7.4.27
	(8.0)	8.0.22 8.0.23
	(8.1)	8.1.18 8.1.19
	(8.2)	8.2.14 8.2.15
	(8.3)	8.3.8 8.3.9
	(8.4)	8.4.1!t 8.4.1-r1!t 8.4.2!t 8.4.2-r1!t
	(8.5)	[M]~8.5_alpha3!t
	(9.0)	[M]~9.0_alpha4!t
Comment 11 Alexander Hoogerhuis 2010-03-06 16:40:34 UTC
http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-db/postgresql/

This is what I see.

-A
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-07 09:33:52 UTC
There is a dev-db/postgresql-*server* package 8.1.19, but no dev-db/postgresql 8.1.19.

pgsql-bugs: Please explain what the difference between postgresql and postgresql-server is.

GLSA vote: YES
Comment 13 Aaron W. Swenson gentoo-dev 2010-03-13 23:47:42 UTC
(In reply to comment #12)
> There is a dev-db/postgresql-*server* package 8.1.19, but no dev-db/postgresql
> 8.1.19.
> 
> pgsql-bugs: Please explain what the difference between postgresql and
> postgresql-server is.
> 
> GLSA vote: YES
> 

Simply put, dev-db/postgresql doesn't do slotting the way dev-db/postgresql-server does it. And, using dev-db/postgresql-{docs,base,server} is much more descriptives than the older ones.

Most importantly: dev-db/postgresql-{docs,base,server} are the only packages that will and are maintained.
Comment 14 Alexander Hoogerhuis 2010-03-13 23:50:27 UTC
[quote]
Most importantly: dev-db/postgresql-{docs,base,server} are the only packages
that will and are maintained.
[/quote]

So why are the whole dev-db/postgresql hiearchy still kept in portage?

-A
Comment 15 Aaron W. Swenson gentoo-dev 2010-03-16 22:09:02 UTC
(In reply to comment #14)
> [quote]
> Most importantly: dev-db/postgresql-{docs,base,server} are the only packages
> that will and are maintained.
> [/quote]
> 
> So why are the whole dev-db/postgresql hiearchy still kept in portage?
> 
> -A
> 

We've been trying to mask and get rid of them for a while. But, other packages in the tree have required them, and we need the new packages to be stabilized across the board.
Comment 16 Patrick Lauer gentoo-dev 2010-06-16 18:59:54 UTC
dev-db/postgresql has been masked. postgresql-{base,server} are now the only relevant ebuilds.
Stabilization requested in #320967 should also fix this bug.
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:35:20 UTC
GLSA request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 07:51:05 UTC
This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).