Alerts This Week
Warning Icon 1 664
Alerts This Week
Warning Icon 1 664

openSUSE 11.4: 2013:0635-1 Important: PostgreSQL Security Update

opensuse
Calendar Grey April 8, 2013
Dist Opensuse Esm H88
Important openSUSE upgrade for PostgreSQL: addresses significant security vulnerabilities in version 9.0.13.
An update that fixes three vulnerabilities is now available

Description

Postgresql was updated to version 9.0.13 (bnc#812525):

* CVE-2013-1899: Fix insecure parsing of server

command-line switches. A connection request containing

a database name that begins with "-" could be crafted

to damage or destroy files within the server's data

directory, even if the request is eventually rejected.

* CVE-2013-1900: Reset OpenSSL randomness state in each

postmaster child process. This avoids a scenario wherein

random numbers generated by "contrib/pgcrypto" functions

might be relatively easy for another database user to

guess. The risk is only significant when the postmaster is

configured with ssl = on but most connections don't use SSL

encryption.

* CVE-2013-1901: Make REPLICATION privilege checks test

current user not authenticated user. An unprivileged

database user could exploit this mistake to call

pg_start_backup() or pg_stop_backup(), thus possibly

interfering with creation of routine backups.

* See the...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory security issue data protection important update postgresql openSUSE patch instructions

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 11.4:

zypper in -t patch 2013-59

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 11.4 (i586 x86_64):

libecpg6-9.0.13-31.1

libecpg6-debuginfo-9.0.13-31.1

libpq5-9.0.13-31.1

libpq5-debuginfo-9.0.13-31.1

postgresql-9.0.13-31.1

postgresql-contrib-9.0.13-31.1

postgresql-contrib-debuginfo-9.0.13-31.1

postgresql-debuginfo-9.0.13-31.1

postgresql-debugsource-9.0.13-31.1

postgresql-devel-9.0.13-31.1

postgresql-devel-debuginfo-9.0.13-31.1

postgresql-libs-debugsource-9.0.13-31.1

postgresql-plperl-9.0.13-31.1

postgresql-plperl-debuginfo-9.0.13-31.1

postgresql-plpython-9.0.13-31.1

postgresql-plpython-debuginfo-9.0.13-31.1

postgresql-pltcl-9.0.13-31.1

postgresql-pltcl-debuginfo-9.0.13-31.1

postgresql-server-9.0.13-31.1

postgresql-server-debuginfo-9.0.13-31.1

- openSUSE 11.4 (x86_64):

libpq5-32bit-9.0.13-31.1

libpq5-debuginfo-32bit-9.0.13-31.1

- openSUSE 11.4 (noarch):

postgresql-docs-9.0.13-31.1

- openSUSE 11.4 (ia64):

libpq5-debuginfo-x86-9.0.13-31.1

libpq5-x86-9.0.13-31.1

References

https://www.suse.com/security/cve/CVE-2013-1899.html

https://www.suse.com/security/cve/CVE-2013-1900.html

https://www.suse.com/security/cve/CVE-2013-1901.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2013:0635-1
Rating: important
Affected Products: openSUSE 11.4 .

Topics%20covered

Topics Covered

security advisory security issue data protection important update postgresql openSUSE patch instructions

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here