LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mageia alert MGASA-2012-0242 (postgresql)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2012-0242: postgresql8.4-8.4.13-1.mga (1,
 2/core), postgresql9.0-9.0.9-1.mga (1, 2/core), postgresql9.1-9.1.5-1.mga2
 (2/core) 


Date:
    	      Sun, 26 Aug 2012 23:57:15 +0200


Message-ID:
    	      <20120826215715.GA27944@valstar.mageia.org>


Archive-link:
    	      Article, Thread
              


MGASA-2012-0242
Date: 	August 26th, 2012
Affected releases: 	1, 2


Description:
Latest version of postgresql, including fixes for CVE-2012-3488 and
CVE-2012-3489

The Postgresql team provide a new version of postgresql server fixing
various bugs and multiple vulnaribilty.

Prevent access to external files/URLs via contrib/xml2's xslt_process()
(Peter Eisentraut). libxslt offers the ability to read and write both
files and URLs through stylesheet commands, thus allowing unprivileged
database users to both read and write data with the privileges of the
database server. Disable that through proper use of libxslt's security
options (CVE-2012-3488). Also, remove xslt_process()'s ability to
fetch documents and stylesheets from external files/URLs. While this
was a documented feature, it was long regarded as a bad idea. The
fix for CVE-2012-3489 broke that capability, and rather than expend
effort on trying to fix it, we're just going to summarily remove it.

Prevent access to external files/URLs via XML entity references (Noah
Misch, Tom Lane). xml_parse() would attempt to fetch external files or
URLs as needed to resolve DTD and entity references in an XML value,
thus allowing unprivileged database users to attempt to fetch data
with the privileges of the database server. While the external data
wouldn't get returned directly to the user, portions of it could
be exposed in error messages if the data didn't parse as valid XML;
and in any case the mere ability to check existence of a file might
be useful to an attacker (CVE-2012-3489).


Updated Packages:
Mageia 1:
postgresql8.4-8.4.13-1.mga1
postgresql8.4-contrib-8.4.13-1.mga1
postgresql8.4-devel-8.4.13-1.mga1
postgresql8.4-docs-8.4.13-1.mga1
postgresql8.4-pl-8.4.13-1.mga1
postgresql8.4-plperl-8.4.13-1.mga1
postgresql8.4-plpgsql-8.4.13-1.mga1
postgresql8.4-plpython-8.4.13-1.mga1
postgresql8.4-pltcl-8.4.13-1.mga1
postgresql8.4-server-8.4.13-1.mga1
lib(64)pq8.4_5-8.4.13-1.mga1
libe(64)cpg8.4_6-8.4.13-1.mga1
postgresql9.0-9.0.9-1.mga1
postgresql9.0-contrib-9.0.9-1.mga1
postgresql9.0-devel-9.0.9-1.mga1
postgresql9.0-docs-9.0.9-1.mga1
postgresql9.0-pl-9.0.9-1.mga1
postgresql9.0-plperl-9.0.9-1.mga1
postgresql9.0-plpgsql-9.0.9-1.mga1
postgresql9.0-plpython-9.0.9-1.mga1
postgresql9.0-pltcl-9.0.9-1.mga1
postgresql9.0-server-9.0.9-1.mga1
lib(64)ecpg9.0_6-9.0.9-1.mga1
lib(64)pq9.0_5-9.0.9-1.mga1

Mageia 2:
postgresql8.4-8.4.13-1.mga2
postgresql8.4-contrib-8.4.13-1.mga2
postgresql8.4-devel-8.4.13-1.mga2
postgresql8.4-docs-8.4.13-1.mga2
postgresql8.4-pl-8.4.13-1.mga2
postgresql8.4-plperl-8.4.13-1.mga2
postgresql8.4-plpgsql-8.4.13-1.mga2
postgresql8.4-plpython-8.4.13-1.mga2
postgresql8.4-pltcl-8.4.13-1.mga2
postgresql8.4-server-8.4.13-1.mga2
lib(64)ecpg8.4_6-8.4.13-1.mga2
lib(64)pq8.4_5-8.4.13-1.mga2
postgresql9.0-9.0.9-1.mga2
postgresql9.0-contrib-9.0.9-1.mga2
postgresql9.0-devel-9.0.9-1.mga2
postgresql9.0-docs-9.0.9-1.mga2
postgresql9.0-pl-9.0.9-1.mga2
postgresql9.0-plperl-9.0.9-1.mga2
postgresql9.0-plpgsql-9.0.9-1.mga2
postgresql9.0-pltcl-9.0.9-1.mga2
postgresql9.0-plpython-9.0.9-1.mga2
postgresql9.0-server-9.0.9-1.mga2
lib(64)ecpg9.0_6-9.0.9-1.mga2
lib(64)pq9.0_5-9.0.9-1.mga2
postgresql9.1-9.1.5-1.mga2
postgresql9.1-contrib-9.1.5-1.mga2
postgresql9.1-devel-9.1.5-1.mga2
postgresql9.1-docs-9.1.5-1.mga2
postgresql9.1-pl-9.1.5-1.mga2
postgresql9.1-plperl-9.1.5-1.mga2
postgresql9.1-plpgsql-9.1.5-1.mga2
postgresql9.1-pltcl-9.1.5-1.mga2
postgresql9.1-plpython-9.1.5-1.mga2
postgresql9.1-server-9.1.5-1.mga2
lib(64)ecpg9.1_6-9.1.5-1.mga2
lib(64)pq9.1_5-9.1.5-1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489
http://www.postgresql.org/docs/8.4/static/release-8-4-13....
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
http://www.postgresql.org/about/news/1407/
http://www.mandriva.com/en/support/security/advisories/?d...
https://bugs.mageia.org/show_bug.cgi?id=7121
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds