1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2534-1] postgresql-8.4 security update

    From Florian Weimer@1:229/2 to All on Sat Aug 25 18:30:01 2012
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2534-1 [email protected] http://www.debian.org/security/ Florian Weimer August 25, 2012 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : postgresql-8.4
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2012-3488 CVE-2012-3489

    Two vulnerabilities related to XML processing were discovered in
    PostgreSQL, an SQL database.

    CVE-2012-3488
    contrib/xml2's xslt_process() can be used to read and write
    external files and URLs.

    CVE-2012-3489
    xml_parse() fetches external files or URLs to resolve DTD and
    entity references in XML values.

    This update removes the problematic functionality, potentially
    breaking applications which use it in a legitimate way.

    Due to the natural of these vulnerabilities, it is possible that
    attackers who have only indirect address to the database can supply
    crafted XML data which exploits this vulnerability.

    For the stable distribution (squeeze), these problems have been fixed
    in version 8.4.13-0squeeze1.

    For the unstable distribution (sid), these problems have been fixed in
    version 9.1.5-1 of the postgresql-9.1 package.

    We recommend that you upgrade your postgresql-8.4 packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iQEcBAEBAgAGBQJQOPKPAAoJEL97/wQC1SS+kAYH/jIoJIhFepzAQXiLyTVIUUne FwNjb6Pwze6R4xBTjYim4L1Fbzmafl+0C/Jbn568tP1N/F2MelXtgAJF+YhN9Z7M OtkDaf22dRNK+d9ZJ7DmlaKQovXoQqsunqeri+5T5Fbzh19tEJzWlVNTvXUg0BES 5d8USimt1tz0HudMUlxqfAF/BiSnnMvDGx0de6wRh9p7zLBLeK8gQbIy5rfoQ6vE 7M44dsKfPoUIpvOKmy1i2aEQ8g7NMJjQigiZpWAd2hNxaERR5aj6Gpy2D271eXiN QmPSeyS2euliCPiMv3haWmTWITj6DS7ukNfiRlTTt/caBOlW4ZkV1jZdajW7r2U=
    =u3YR
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)