-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#4 - ------------------------------------------------------------
Name: postgresql Date: 2007-02-12 Severity: High Warning #: 2007-#4 - ------------------------------------------------------------ Product Background =================== A sophisticated object-relational DBMS Problem Background =================== PostgreSQL 8.1 before 8.1.7 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content. The query planner in PostgreSQL 8.1 before 8.1.7, does not verify that a table is compatible with a "previously made query plan," which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content via an "ALTER COLUMN TYPE" SQL statement, which can be leveraged to read arbitrary memory from the server. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ postgresql current daemons < 8.1.8 >= 8.1.8 Package Fix =================== Upgrade to postgresql 8.1.8, that contains all security patches from 8.1.7. Source: ftp://ftp.postgresql.org/pub/source/v8.1.8/postgresql-base-8.1.8.tar.bz2 md5sum: 5da7d5bf67e01ddc1fbd92a072ccd3f3 Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556 Contact =================== JJDaNiMoTh (jjdanimoth AT gmail DOT com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF0JkmcJj0HNhER0MRAj9fAJ45QA5N0toImlszuiyjC4SIzGISVQCaA8tE P3ndvUZUKkPW6v9N9j8TWX8= =8Em2 -----END PGP SIGNATURE----- _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
