Säkerhetsbulletin från Debian

DSA-1087-1 postgresql -- programmeringsfel

Rapporterat den:

2006-06-03

Berörda paket:

postgresql

Sårbara:

Referenser i säkerhetsdatabaser:

I Mitres CVE-förteckning: CVE-2006-2313, CVE-2006-2314.

Ytterligare information:

Flera teckenkodningsproblem har upptäckts i PostgreSQL, en populär SQL-databas. Projektet Common Vulnerabilities and Exposures identifierar följande problem:

CVE-2006-2313
Akio Ishida och Yasuo Ohgaki upptäckte en sårbarhet i hanteringen av felaktigt kodat flerbytestextdata vilket kunde göra det möjligt för en angripare att injicera godtyckliga SQL-kommandon.
CVE-2006-2314
Ett liknande problem finns i klientsideteckenkodningar (såsom SJIS, BIG5, GBK, GB18030 och UHC) som innehåller giltiga flerbytestecken som avslutas med koden för ett omvänt snedstreck. En angripare kunde sända en specialskriven bytesekvens som kunde exekvera godtyckliga SQL-kommandon.

Detta problem berör dig inte om du endast använder enkelbyte- (t.ex SQL_ASCII eller ISO-8859-X-familjen) eller ej påverkade flerbytekodningar (såsom UTF-8).

psycopg och python-pgsql använder den gamla kodningen för binärdata och kan även komma att behöva uppdateras.

Den gamla stabila utgåvan (Woody) påverkas av dessa problem men vi kan inte rätta paketet.

För den stabila utgåvan (Sarge) har dessa problem rättats i version 7.4.7-6sarge2.

För den instabila utgåvan (Sid) har dessa problem rättats i version 7.4.13-1.

Vi rekommenderar att ni uppgraderar era postgresql-paket.

Rättat i:

Debian GNU/Linux 3.1 (sarge)

Källkod:: http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2.dsc; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2.diff.gz; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7.orig.tar.gz
Arkitekturoberoende komponent:: http://security.debian.org/pool/updates/main/p/postgresql/postgresql-doc_7.4.7-6sarge2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_alpha.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_amd64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_arm.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_i386.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_ia64.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_hppa.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_m68k.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_mips.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_s390.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_sparc.deb; http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.