Your message dated Tue, 10 May 2005 22:52:38 -0700
with message-id <[EMAIL PROTECTED]>
and subject line PostgreSQL Character Conversion and tsearch2 Module
Vulnerabilities
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 May 2005 14:42:02 +0000
>From [EMAIL PROTECTED] Wed May 04 07:42:01 2005
Return-path: <[EMAIL PROTECTED]>
Received: from polaris.galacticasoftware.com [206.45.95.222]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DTL4b-00043b-00; Wed, 04 May 2005 07:42:01 -0700
Received: from mira.lan.galacticasoftware.com
([2001:470:1f00:907:20d:87ff:fe3c:98c8])
by polaris.galacticasoftware.com with esmtp (Exim 4.50)
id 1DTL4a-0000hC-UA; Wed, 04 May 2005 09:42:00 -0500
Received: from adamm by mira.lan.galacticasoftware.com with local (Exim 4.50)
id 1DTL4r-0007Y5-V6; Wed, 04 May 2005 09:42:17 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Adam M." <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: PostgreSQL Character Conversion and tsearch2 Module Vulnerabilities
X-Mailer: reportbug 3.11
Date: Wed, 04 May 2005 09:42:17 -0500
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: postgresql
Severity: grave
Tags: security sarge
From:
http://secunia.com/advisories/15217/
Workarounds (aka, fixes :)
http://www.postgresql.org/about/news.315
DESCRIPTION:
Two vulnerabilities have been reported in PostgreSQL, which can be
exploited by malicious users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
1) Missing validation of arguments supplied to the functions
supporting client-to-server character set conversion can be exploited
by unprivileged users when calling the functions from SQL commands.
The vulnerability affects versions 7.3.* through 8.0.*.
2) The contrib/tsearch2 module misdeclares the return type of several
functions, which breaks the type safety of "internal". The impact has
reportedly not been investigated, but can at least crash the
backend.
The vulnerability affects versions 7.4 and later with the
contrib/tsearch2 module installed.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-k7
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Versions of packages postgresql depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf [debconf 1.4.48 Debian configuration management sy
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii dpkg 1.10.27 Package maintenance system for Deb
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
ii libcomerr2 1.37-2 common error description library
ii libkrb53 1.3.6-3 MIT Kerberos runtime libraries
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libperl5.8 5.8.4-8 Shared Perl library
ii libpq3 7.4.7-5 PostgreSQL C client library
ii libreadline4 4.3-15 GNU readline and history libraries
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii postgresql-clien 7.4.7-5 front-end programs for PostgreSQL
ii procps 1:3.2.5-1 /proc file system utilities
ii python2.3 2.3.5-2 An interactive high-level object-o
ii ucf 1.18 Update Configuration File: preserv
ii zlib1g 1:1.2.2-4 compression library - runtime
---------------------------------------
Received: (at 307663-done) by bugs.debian.org; 11 May 2005 05:52:39 +0000
>From [EMAIL PROTECTED] Tue May 10 22:52:39 2005
Return-path: <[EMAIL PROTECTED]>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain)
[66.93.39.86]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DVk99-00017Q-00; Tue, 10 May 2005 22:52:39 -0700
Received: by localhost.localdomain (Postfix, from userid 1000)
id E7418172843; Tue, 10 May 2005 22:52:38 -0700 (PDT)
Date: Tue, 10 May 2005 22:52:38 -0700
From: Steve Langasek <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: PostgreSQL Character Conversion and tsearch2 Module Vulnerabilities
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
postgresql 7.4.7-6 is now in sarge, so I believe this bug is fixed.
Thanks,
--
Steve Langasek
postmodern programmer
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
