[SECURITY] [DSA-2157-1] PostgreSQL security update

2011-02-0320:11:01

lists.debian.org

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.1 Medium

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.5%

JSON

Debian Security Advisory DSA-2157-1 [email protected]
http://www.debian.org/security/ Florian Weimer
February 03, 2011 http://www.debian.org/security/faq

Package : postgresql-8.3, postgresql-8.4, postgresql-9.0
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2010-4015

It was discovered that PostgreSQL's intarray contrib module does not
properly handle integers with a large number of digits, leading to a
server crash and potentially arbitary code execution.

For the stable distribution (lenny), this problem has been fixed in
version 8.3.14-0lenny1 of the postgresql-8.3 package.

For the testing distribution (squeeze), this problem has been fixed in
version 8.4.7-0squeeze1 of the postgresql-8.4 package.

For the unstable distribution (sid), this problem has been fixed in
version 8.4.7-1 of the postgresql-8.4 package and version 9.0.3-1 of
the postgresql-9.0 package.

The updates also include reliability improvements; for details see the
respective changelogs.

We recommend that you upgrade your PostgreSQL packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6armelpostgresql-pltcl-8.4< 8.4.7-0squeeze2postgresql-pltcl-8.4_8.4.7-0squeeze2_armel.deb
Debian5sparcpostgresql-pltcl-8.3< 8.3.14-0lenny1postgresql-pltcl-8.3_8.3.14-0lenny1_sparc.deb
Debian5armellibpq5< 8.3.14-0lenny1libpq5_8.3.14-0lenny1_armel.deb
Debian6s390postgresql-contrib-8.4< 8.4.7-0squeeze2postgresql-contrib-8.4_8.4.7-0squeeze2_s390.deb
Debian5s390postgresql-plpython-8.3< 8.3.14-0lenny1postgresql-plpython-8.3_8.3.14-0lenny1_s390.deb
Debian6kfreebsd-amd64libpgtypes3< 8.4.7-0squeeze2libpgtypes3_8.4.7-0squeeze2_kfreebsd-amd64.deb
Debian6mipsellibpq-dev< 8.4.7-0squeeze2libpq-dev_8.4.7-0squeeze2_mipsel.deb
Debian5s390postgresql-client-8.3< 8.3.14-0lenny1postgresql-client-8.3_8.3.14-0lenny1_s390.deb
Debian6allpostgresql-8.4< 8.4.7-0squeeze2postgresql-8.4_8.4.7-0squeeze2_all.deb
Debian6ia64libpq-dev< 8.4.7-0squeeze2libpq-dev_8.4.7-0squeeze2_ia64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	armel	postgresql-pltcl-8.4	< 8.4.7-0squeeze2	postgresql-pltcl-8.4_8.4.7-0squeeze2_armel.deb
Debian	5	sparc	postgresql-pltcl-8.3	< 8.3.14-0lenny1	postgresql-pltcl-8.3_8.3.14-0lenny1_sparc.deb
Debian	5	armel	libpq5	< 8.3.14-0lenny1	libpq5_8.3.14-0lenny1_armel.deb
Debian	6	s390	postgresql-contrib-8.4	< 8.4.7-0squeeze2	postgresql-contrib-8.4_8.4.7-0squeeze2_s390.deb
Debian	5	s390	postgresql-plpython-8.3	< 8.3.14-0lenny1	postgresql-plpython-8.3_8.3.14-0lenny1_s390.deb
Debian	6	kfreebsd-amd64	libpgtypes3	< 8.4.7-0squeeze2	libpgtypes3_8.4.7-0squeeze2_kfreebsd-amd64.deb
Debian	6	mipsel	libpq-dev	< 8.4.7-0squeeze2	libpq-dev_8.4.7-0squeeze2_mipsel.deb
Debian	5	s390	postgresql-client-8.3	< 8.3.14-0lenny1	postgresql-client-8.3_8.3.14-0lenny1_s390.deb
Debian	6	all	postgresql-8.4	< 8.4.7-0squeeze2	postgresql-8.4_8.4.7-0squeeze2_all.deb
Debian	6	ia64	libpq-dev	< 8.4.7-0squeeze2	libpq-dev_8.4.7-0squeeze2_ia64.deb