-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2009-29
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date: 20 Oct 2009
Last revised: 20 Oct 2009
Package: postgresql
Summary: Three vulnerabilities discovered in postgresql
More information:
PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs.
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8,
and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service
(backend shutdown) by "re-LOAD-ing" libraries from a certain plugins directory. (CVE-2009-3229)
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before
8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the
appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations,
which allows remote authenticated users to gain privileges.
NOTE: this is due to an incomplete fix for CVE-2007-6600. (CVE-2009-3230)
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using
LDAP authentication with anonymous binds, allows remote attackers to bypass authentication
via an empty password. (CVE-2009-3231)
Affected Products:
- Turbolinux Client 2008
- Turbolinux Appliance Server 3.0 x64 Edition
- Turbolinux Appliance Server 3.0
- Turbolinux 11 Server x64 Edition
- Turbolinux 11 Server
- Turbolinux Appliance Server 2.0
- Turbolinux FUJI
- Turbolinux 10 Server x64 Edition
- Turbolinux 10 Server
<Turbolinux Client 2008>
Source Packages
Size: MD5
http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-source/postgresql-8.2.14-1.src.rpm
18891138 270ea83ceb202c76afee628e1282320f
Binary Packages
Size: MD5
http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-updates/postgresql-8.2.14-1.i586.rpm
3211830 897db981584f9405c7944705e5a03876
http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-updates/postgresql-devel-8.2.14-1.i586.rpm
1285462 913e886cb1e7bd99355f954e56721241
http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-updates/postgresql-libs-8.2.14-1.i586.rpm
214542 10cec294c1717e67724c056ee585db35
<Turbolinux Appliance Server 3.0 x64 Edition>
Source Packages
Size: MD5
postgresql-8.2.14-1.src.rpm
18976960 cbd8bf0d2944a07237ae0cb9f1d2ed7c
Binary Packages
Size: MD5
postgresql-8.2.14-1.x86_64.rpm
3858969 66422d3c62109c2a41f1200f5a2cb0b2
postgresql-contrib-8.2.14-1.x86_64.rpm
1453571 8c1fe20abe6b93c38a4cb25b4dd62b27
postgresql-devel-8.2.14-1.x86_64.rpm
1426693 044d87ea303ca6b8f9a034de8fcdbf22
postgresql-libs-8.2.14-1.x86_64.rpm
450999 17bd4998fb42a71ad5ae9817c33fa35a
postgresql-plperl-8.2.14-1.x86_64.rpm
747573 ab07a1894bb95435e1bb88ff99a6eac0
postgresql-plpython-8.2.14-1.x86_64.rpm
82501 80859f5ca6d62d9c16c35ec613dfaf07
postgresql-python-8.2.14-1.x86_64.rpm
105945 2c3ced0b9a75611cff776572369b5704
postgresql-server-8.2.14-1.x86_64.rpm
7915329 47f561d69511b45171379f2cbb8d4f8b
postgresql-test-8.2.14-1.x86_64.rpm
1257635 3c0b722765261ef8fc34fbe98d702f98
<Turbolinux Appliance Server 3.0>
Source Packages
Size: MD5
postgresql-8.2.14-1.src.rpm
18976960 cbd8bf0d2944a07237ae0cb9f1d2ed7c
Binary Packages
Size: MD5
postgresql-8.2.14-1.i686.rpm
3241334 da13633e24ffe5592955444cfeb161d1
postgresql-contrib-8.2.14-1.i686.rpm
501568 5fbc1680e21d5b5a559b61ed1228142a
postgresql-devel-8.2.14-1.i686.rpm
1276414 1265e5ba154e7fa5f3f48ee3e753d02b
postgresql-libs-8.2.14-1.i686.rpm
201858 2aa409697f0fee1ebf81225b9f46cad1
postgresql-plperl-8.2.14-1.i686.rpm
607525 18a37725aef0672dbd383da807e97a40
postgresql-plpython-8.2.14-1.i686.rpm
41254 118a4f2330e59916f2e3e465f775f101
postgresql-python-8.2.14-1.i686.rpm
76130 d0bdb905260e78f3f120c6beaaa18665
postgresql-server-8.2.14-1.i686.rpm
4273483 68dfd84b8f0e6355d6e59338160325fa
postgresql-test-8.2.14-1.i686.rpm
1230716 efa53017b1410de9d787520349b03c0f
<Turbolinux 11 Server x64 Edition>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/11/updates/SRPMS/postgresql-8.2.14-1.src.rpm
18976960 cbd8bf0d2944a07237ae0cb9f1d2ed7c
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/11/updates/SRPMS/postgresql-libs-32bit-8.2.14-1.src.rpm
190595 b7c57d0e9df98fbfefddfd0703c10b55
Binary Packages
Size: MD5
postgresql-8.2.14-1.x86_64.rpm
3858969 66422d3c62109c2a41f1200f5a2cb0b2
postgresql-contrib-8.2.14-1.x86_64.rpm
1453571 8c1fe20abe6b93c38a4cb25b4dd62b27
postgresql-devel-8.2.14-1.x86_64.rpm
1426693 044d87ea303ca6b8f9a034de8fcdbf22
postgresql-libs-32bit-8.2.14-1.x86_64.rpm
118415 b29ce827549f3a71841bcdda8d12079b
postgresql-libs-8.2.14-1.x86_64.rpm
450999 17bd4998fb42a71ad5ae9817c33fa35a
postgresql-plperl-8.2.14-1.x86_64.rpm
747573 ab07a1894bb95435e1bb88ff99a6eac0
postgresql-plpython-8.2.14-1.x86_64.rpm
82501 80859f5ca6d62d9c16c35ec613dfaf07
postgresql-python-8.2.14-1.x86_64.rpm
105945 2c3ced0b9a75611cff776572369b5704
postgresql-server-8.2.14-1.x86_64.rpm
7915329 47f561d69511b45171379f2cbb8d4f8b
postgresql-test-8.2.14-1.x86_64.rpm
1257635 3c0b722765261ef8fc34fbe98d702f98
<Turbolinux 11 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/11/updates/SRPMS/postgresql-8.2.14-1.src.rpm
18976960 cbd8bf0d2944a07237ae0cb9f1d2ed7c
Binary Packages
Size: MD5
postgresql-8.2.14-1.i686.rpm
3241334 da13633e24ffe5592955444cfeb161d1
postgresql-contrib-8.2.14-1.i686.rpm
501568 5fbc1680e21d5b5a559b61ed1228142a
postgresql-devel-8.2.14-1.i686.rpm
1276414 1265e5ba154e7fa5f3f48ee3e753d02b
postgresql-libs-8.2.14-1.i686.rpm
201858 2aa409697f0fee1ebf81225b9f46cad1
postgresql-plperl-8.2.14-1.i686.rpm
607525 18a37725aef0672dbd383da807e97a40
postgresql-plpython-8.2.14-1.i686.rpm
41254 118a4f2330e59916f2e3e465f775f101
postgresql-python-8.2.14-1.i686.rpm
76130 d0bdb905260e78f3f120c6beaaa18665
postgresql-server-8.2.14-1.i686.rpm
4273483 68dfd84b8f0e6355d6e59338160325fa
postgresql-test-8.2.14-1.i686.rpm
1230716 efa53017b1410de9d787520349b03c0f
<Turbolinux Appliance Server 2.0>
Source Packages
Size: MD5
postgresql-7.4.26-1.src.rpm
12408010 1f0c4f115c7091dcfcdc705b67b988d1
Binary Packages
Size: MD5
postgresql-7.4.26-1.i586.rpm
1364152 10da5e01b5b14ac1c83ae5291a379750
postgresql-contrib-7.4.26-1.i586.rpm
4087360 5c7883684f8a23525d31f6dd64dd86f4
postgresql-devel-7.4.26-1.i586.rpm
862207 8635a0b75bd3611c78c286c1ede693de
postgresql-jdbc-7.4.26-1.i586.rpm
696415 53ce655a61d4673f7c7e4bc5848cc25c
postgresql-libs-7.4.26-1.i586.rpm
124009 81ae18510e93f2b037609657d5070f25
postgresql-odbc-7.4.26-1.i586.rpm
138412 004434bdb90b92eeef147ab2ee416157
postgresql-perl-7.4.26-1.i586.rpm
611569 2a3a8fbba0053482073fc6b90a745af7
postgresql-python-7.4.26-1.i586.rpm
414883 fb258d526e6dde169d6db5d95a5fc77b
postgresql-server-7.4.26-1.i586.rpm
2453214 015493d43302cb94a1c57b75b2ef81c5
postgresql-tcl-7.4.26-1.i586.rpm
53214 e4cee58d409115123ee27856edb1b6c7
postgresql-tk-7.4.26-1.i586.rpm
24544 25cef7f386fc829cfcc297d2fb7b5345
<Turbolinux FUJI>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/11/updates/SRPMS/postgresql-8.0.22-1.src.rpm
13413152 05cfeb5de01807e3abc45180741534ee
Binary Packages
Size: MD5
postgresql-libs-8.0.22-1.i686.rpm
2605275 eb8fba048396011b3232d108463f10f9
<Turbolinux 10 Server x64 Edition>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/SRPMS/postgresql-8.0.22-1.src.rpm
13423176 e4b10e656636c33c6e24c6ef21d1e56e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/SRPMS/postgresql-libs-32bit-8.0.22-1.src.rpm
2544441 19b8ad7436cfc4f2c452890b220dd7c8
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-8.0.22-1.x86_64.rpm
631203 f99b7e629de881f78daaa3dda7580323
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-contrib-8.0.22-1.x86_64.rpm
4504428 99647ef94cc85afdea4e71fa08661786
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-devel-8.0.22-1.x86_64.rpm
678894 11a4dc77f8f0b9a51e0cf26f8e19495a
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-docs-8.0.22-1.x86_64.rpm
1268429 0ef93b763fdd90f3ff66c93f64f9e1c8
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-jdbc-8.0.22-1.x86_64.rpm
870227 0fff80e06ce78168d0eb89fb73dabb35
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-libs-32bit-8.0.22-1.x86_64.rpm
2677348 f6f1ceb8b3dd8356afbda34242490260
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-libs-8.0.22-1.x86_64.rpm
2827926 04e6f747e8081da2bdd9710c575128ab
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-odbc-8.0.22-1.x86_64.rpm
171243 ce0a35a4b375904dcc44acc68d03c9b9
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-perl-8.0.22-1.x86_64.rpm
625603 d97dc623fcc780c420ef687f6e49464e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-python-8.0.22-1.x86_64.rpm
469950 7081c545a35c5164ae0efc80b8188136
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-server-8.0.22-1.x86_64.rpm
2924986 05a0c58c67b2cfa298474496ddeb8da0
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-tcl-8.0.22-1.x86_64.rpm
40019 6f5a7eb1078dc68334f65b1c21cc87b4
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-test-8.0.22-1.x86_64.rpm
1003777 7de9ffc5b429f8f3083276fd1f4a87b7
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/postgresql-tk-8.0.22-1.x86_64.rpm
20930 7e8f01fafe304dc66715e3deeb5794e1
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/postgresql-7.4.26-1.src.rpm
12408010 1f0c4f115c7091dcfcdc705b67b988d1
Binary Packages
Size: MD5
postgresql-7.4.26-1.i586.rpm
1364152 10da5e01b5b14ac1c83ae5291a379750
postgresql-contrib-7.4.26-1.i586.rpm
4087360 5c7883684f8a23525d31f6dd64dd86f4
postgresql-docs-7.4.26-1.i586.rpm
1114860 177b1bf4cb9d53ff00e3ae75797fe608
postgresql-devel-7.4.26-1.i586.rpm
862207 8635a0b75bd3611c78c286c1ede693de
postgresql-jdbc-7.4.26-1.i586.rpm
696415 53ce655a61d4673f7c7e4bc5848cc25c
postgresql-libs-7.4.26-1.i586.rpm
124009 81ae18510e93f2b037609657d5070f25
postgresql-odbc-7.4.26-1.i586.rpm
138412 004434bdb90b92eeef147ab2ee416157
postgresql-perl-7.4.26-1.i586.rpm
611569 2a3a8fbba0053482073fc6b90a745af7
postgresql-python-7.4.26-1.i586.rpm
414883 fb258d526e6dde169d6db5d95a5fc77b
postgresql-server-7.4.26-1.i586.rpm
2453214 015493d43302cb94a1c57b75b2ef81c5
postgresql-tcl-7.4.26-1.i586.rpm
53214 e4cee58d409115123ee27856edb1b6c7
postgresql-test-7.4.26-1.i586.rpm
928431 f26416ca6dc4bad2110fa56c320801b7
postgresql-tk-7.4.26-1.i586.rpm
24544 25cef7f386fc829cfcc297d2fb7b5345
References:
CVE
[CVE-2009-3229]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
[CVE-2009-3230]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
[CVE-2009-3231]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
--------------------------------------------------------------------------
Revision History
20 Oct 2009 Initial release
--------------------------------------------------------------------------
Copyright(C) 2009 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
iEYEARECAAYFAkrdUdMACgkQK0LzjOqIJMwgcACeOwfKxJmS1YGVbr4TVL/+hv/d
kTEAn0G1OkrnuqDk4DkmqRv78/VEVftZ
=UXx+
-----END PGP SIGNATURE-----
