Alerts This Week
Warning Icon 1 677
Alerts This Week
Warning Icon 1 677

openSUSE: 2013:0627-1 Important: Command-Line Security Fix for postgresql91

opensuse
Calendar Grey April 5, 2013
Dist Opensuse Esm H88
The latest update addresses significant vulnerabilities in postgresql91 for openSUSE, enhancing protection measures and ensuring data fidelity.
An update that fixes three vulnerabilities is now available

Description

postgresql was updated to version 9.1.9 (bnc#812525):

* CVE-2013-1899: Fix insecure parsing of server

command-line switches. A connection request containing

a database name that begins with "-" could be crafted

to damage or destroy files within the server's data

directory, even if the request is eventually rejected.

* CVE-2013-1900: Reset OpenSSL randomness state in each

postmaster child process. This avoids a scenario

wherein random numbers generated by "contrib/pgcrypto"

functions might be relatively easy for another database

user to guess. The risk is only significant when the

postmaster is configured with ssl = on but most

connections don't use SSL encryption.

* CVE-2013-1901: Make REPLICATION privilege checks test

current user not authenticated user. An unprivileged

database user could exploit this mistake to call

pg_start_backup() or pg_stop_backup(), thus possibly

interfering with creation of routine backups.

* See the...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory update patch important postgresql openSUSE command-line issue

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 12.2:

zypper in -t patch openSUSE-2013-307

- openSUSE 12.1:

zypper in -t patch openSUSE-2013-307

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 12.2 (i586 x86_64):

libecpg6-9.1.9-20.1

libecpg6-debuginfo-9.1.9-20.1

libpq5-9.1.9-20.1

libpq5-debuginfo-9.1.9-20.1

postgresql91-9.1.9-20.1

postgresql91-contrib-9.1.9-20.1

postgresql91-contrib-debuginfo-9.1.9-20.1

postgresql91-debuginfo-9.1.9-20.1

postgresql91-debugsource-9.1.9-20.1

postgresql91-devel-9.1.9-20.1

postgresql91-devel-debuginfo-9.1.9-20.1

postgresql91-libs-debugsource-9.1.9-20.1

postgresql91-plperl-9.1.9-20.1

postgresql91-plperl-debuginfo-9.1.9-20.1

postgresql91-plpython-9.1.9-20.1

postgresql91-plpython-debuginfo-9.1.9-20.1

postgresql91-pltcl-9.1.9-20.1

postgresql91-pltcl-debuginfo-9.1.9-20.1

postgresql91-server-9.1.9-20.1

postgresql91-server-debuginfo-9.1.9-20.1

- openSUSE 12.2 (x86_64):

libecpg6-32bit-9.1.9-20.1

libecpg6-debuginfo-32bit-9.1.9-20.1

libpq5-32bit-9.1.9-20.1

libpq5-debuginfo-32bit-9.1.9-20.1

postgresql91-devel-32bit-9.1.9-20.1

postgresql91-devel-debuginfo-32bit-9.1.9-20.1

- openSUSE 12.2 (noarch):

postgresql91-docs-9.1.9-20.1

- openSUSE 12.1 (i586 x86_64):

libecpg6-9.1.9-25.1

li...

Read the Full Advisory

References

https://www.suse.com/security/cve/CVE-2013-1899.html

https://www.suse.com/security/cve/CVE-2013-1900.html

https://www.suse.com/security/cve/CVE-2013-1901.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2013:0627-1
Rating: important
Affected Products: openSUSE 12.2 openSUSE 12.1 .

Topics%20covered

Topics Covered

security advisory update patch important postgresql openSUSE command-line issue

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here