Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 431766 (CVE-2012-3488) - <dev-db/postgresql-server-{9.1.5,9.0.9,8.4.13,8.3.20} Insecure use of {libxslt,libxml2} (CVE-2012-{3488,3489})
Summary: <dev-db/postgresql-server-{9.1.5,9.0.9,8.4.13,8.3.20} Insecure use of {libxsl...
Alias: CVE-2012-3488
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Blocks: CVE-2012-2143
  Show dependency tree
Reported: 2012-08-17 17:13 UTC by Aaron W. Swenson
Modified: 2012-09-28 12:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2012-08-17 17:13:11 UTC
The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. This update patches security holes associated with libxml2 and libxslt, similar to those affecting other open source projects. All users are urged to update their installations at the first available opportunity.

This security release fixes a vulnerability in the built-in XML functionality, and a vulnerability in the XSLT functionality supplied by the optional XML2 extension. Both vulnerabilities allow reading of arbitrary files by any authenticated database user, and the XSLT vulnerability allows writing files as well. The fixes cause limited backwards compatibility issues. These issues correspond to the following two vulnerabilities:

    CVE-2012-3488: PostgreSQL insecure use of libxslt
    CVE-2012-3489: PostgreSQL insecure use of libxml2

This release also contains several fixes to version 9.1, and a smaller number of fixes to older versions, including:

    Updates and corrections to time zone data
    Multiple documentation updates and corrections
    Add limit on max_wal_senders
    Fix dependencies generated during ALTER TABLE ADD CONSTRAINT USING INDEX.
    Correct behavior of unicode conversions for PL/Python
    Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT).
    Fix syslogger so that log_truncate_on_rotation works in the first rotation.
    Only allow autovacuum to be auto-canceled by a directly blocked process.
    Improve fsync request queue operation
    Prevent corner-case core dump in rfree().
    Fix Walsender so that it responds correctly to timeouts and deadlocks
    Several PL/Perl fixes for encoding-related issues
    Make selectivity operators use the correct collation
    Prevent unsuitable slaves from being selected for synchronous replication
    Make REASSIGN OWNED work on extensions as well
    Fix race condition with ENUM comparisons
    Make NOTIFY cope with out-of-disk-space
    Fix memory leak in ARRAY subselect queries
    Reduce data loss at replication failover
    Fix behavior of subtransactions with Hot Standby

Users who are relying on the built-in XML functionality to validate external DTDs will need to implement a workaround, as this security patch disables that functionality. Users who are using xslt_process() to fetch documents or stylesheets from external URLs will no longer be able to do so. The PostgreSQL project regrets the need to disable both of these features in order to maintain our security standards. These security issues with XML are substantially similar to issues patched recently by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5 (CVE-2012-0057) projects.

As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Perform post-update steps after the database is restarted.

All supported versions of PostgreSQL are affected. See the release notes for each version for a full list of changes with details of the fixes and steps.
Comment 1 Aaron W. Swenson gentoo-dev 2012-08-17 17:30:43 UTC
Stabilization Targets:
 * postgresql-docs-9.1.5
 * postgresql-docs-9.0.9
 * postgresql-docs-8.4.13
 * postgresql-docs-8.3.20

 * postgresql-base-9.1.5
 * postgresql-base-9.0.9
 * postgresql-base-8.4.13
 * postgresql-base-8.3.20

 * postgresql-server-9.1.5
 * postgresql-server-9.0.9
 * postgresql-server-8.4.13
 * postgresql-server-8.3.20
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-18 11:10:24 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-19 17:29:47 UTC
Stable for HPPA.
Comment 4 Johannes Huber (RETIRED) gentoo-dev 2012-08-21 06:22:41 UTC
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2012-08-26 16:10:40 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 6 Anthony Basile gentoo-dev 2012-09-20 18:29:11 UTC
Okay stable ppc ppc64.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:23:31 UTC
Thanks, everyone. GLSA Vote: no.
Comment 8 Aaron W. Swenson gentoo-dev 2012-09-25 18:18:56 UTC
Affected versions removed from tree.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-27 00:02:03 UTC
This is already on a GLSA draft.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 12:03:22 UTC
This issue was resolved and addressed in
 GLSA 201209-24 at
by GLSA coordinator Sean Amoss (ackle).