copyright | disclaimer | privacy | contact

HOME   About AusCERT   Membership   Contact Us   PKI Services   Training   Publications   Sec. Bulletins   Conferences   News & Media   Services   Web Log   Site Map   Site Help   Member login Login »  Become a member »   Home » Security Bul... » Security Bul... » AusCERT Secu... » ASB-2009.1158 - [Win][UNIX/Linux] PostgreSQL prior t...   ASB-2009.1158 - [Win][UNIX/Linux] PostgreSQL prior to 8.4.2: Multiple vulnerabilities Date: 14 December 2009 References: ESB-2009.1683  ESB-2010.0001  ESB-2010.0057  ESB-2010.0459  ASB-2012.0008  ESB-2012.0636.2   Click here for printable version -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2009.1158 PostgreSQL 8.4.2 has been released correcting a number of security vulnerabilities 15 December 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PostgreSQL prior to 8.4.2 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Administrator Compromise -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2009-4136 CVE-2009-4034 Member content until: Thursday, January 14 2010 OVERVIEW Version 8.4.2 of PostgreSQL has been released correcting a number of security vulnerabilities. IMPACT The vendor lists the following details for the security vulnerabilities that have been corrected: "Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom). This change prevents allegedly-immutable index functions from possibly subverting a superuser's session (CVE-2009-4136)." [1] "Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus). This prevents unintended matching of a certificate to a server or client name during SSL validation (CVE-2009-4034)." [1] "Fix crash if a DROP is attempted on an internally-dependent object (Tom)" [1] MITIGATION The vendor recommends upgrading to the latest version. [1] REFERENCES [1] PostgreSQL 8.4.2 Documentation Appendix E. Release Notes http://www.postgresql.org/docs/current/static/release-8-4-2.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLJvJgNVH5XJJInbgRAotyAJwKh2i/RScppr/Lp9H5sqiASmv/TwCeOMtG rj8o5K5LYsJv3203tvwIV1k= =mZ3n -----END PGP SIGNATURE-----

Comments? Click here http://www.auscert.org.au/render.html?cid=10415&it=12112