postgresql-8.1.23-4.0.1.AXS3
エラータID: AXSA:2012-570:01
リリース日:
2012/07/24 Tuesday - 11:50
題名:
postgresql-8.1.23-4.0.1.AXS3
影響のあるチャネル:
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQL の CREATE TRIGGER は SECURITY DEFINER 属性のついたトリガー関数の実行権限を適切にチェックしておらず,攻撃者の所有するテーブルにトリガーをインストールすることによって,リモートの認証されたユーザが任意のデータ上の制限されたトリガーを実行する脆弱性があります。(CVE-2012-0866)
- PostgreSQL には CRLF インジェクションの脆弱性が存在し,巧妙に細工された改行のあるオブジェクト名を含むファイルによって,リモートの攻撃者が任意の SQL コマンドを実行する脆弱性があります。(CVE-2012-0868)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2012-0866
CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.
CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.
CVE-2012-0868
CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
追加情報:
N/A
ダウンロード:
SRPMS
- postgresql-8.1.23-4.0.1.AXS3.src.rpm
MD5: b1a440cc3045b9ccf2c980bed7b66e37
SHA-256: fefe546f3894c04a25c62aee8a12814bf82b610148c69f51080c03ad396c4cfe
Size: 16.81 MB
Asianux Server 3 for x86
- postgresql-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 2444ad7c8890cb8947cbb8372c81daf1
SHA-256: 36b4b16faf407f8db138f77c593475de78e9edead0a298dd2910d87ff9441620
Size: 2.94 MB - postgresql-contrib-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 2884009cfc28e47eb3a9427e3a06587e
SHA-256: 323e490256112520218ca59ff40015146a76d9b14adefb803da4db845c2bf829
Size: 456.07 kB - postgresql-devel-8.1.23-4.0.1.AXS3.i386.rpm
MD5: d032d349ea94f2994ad01dfebd0399e1
SHA-256: 463a132dbf89d7156b6088654732698bdfaaa09640ce618857aeb58ef57f348f
Size: 1.18 MB - postgresql-docs-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 37a1a25baf264fe1fc593d239ad515ad
SHA-256: f79c4756be33bb83ee971e3685d8e52a0c732f4aa491763b00e6ff432f71d01b
Size: 5.58 MB - postgresql-libs-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 3f33e095d639c9b571c237c606232c0c
SHA-256: 3fadb0d18634c5fa331ddbda1b3fdeef4bd1db92b87d4b7d0641a6846d773800
Size: 201.37 kB - postgresql-pl-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 7a90d16f06bb8d0a09a8cd0c9cf19575
SHA-256: 0243386612d715c6dd63eaff0838482b9956568bcf8758fabd32fe045675bdf5
Size: 73.37 kB - postgresql-python-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 0d33771660b413b52556cd67dd83e232
SHA-256: 13caddd378f8d50955024f9560dbba759b1432c30f0ee00f03bb1afd74e8a3f9
Size: 55.72 kB - postgresql-server-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 4a50afd51b39b54ffef6edc23410e3a1
SHA-256: 773ef17e2fc47f904ce9f4e654c4039a2b1219b977a7edcf82efc448b0c05eb1
Size: 3.93 MB - postgresql-tcl-8.1.23-4.0.1.AXS3.i386.rpm
MD5: 78c55924941ba2b93e498ecaaeaa26eb
SHA-256: f10c8079a2590c0f6b924fa40d5907204c592f525009c3657d1ec1bc17e27527
Size: 83.95 kB
Asianux Server 3 for x86_64
- postgresql-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: 1a95087af35c7c35501a960815a6367d
SHA-256: cf02f1c05c0debb5a8fba4179489bd170cfdbee9828e355b0bea5602525e817f
Size: 2.97 MB - postgresql-contrib-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: ec2f80d5ef1ffd2112f0ccaa9f56eba8
SHA-256: 3218e86ab89f34d238ff9507de81105437d59115271a97be656d7140f8eaccda
Size: 461.56 kB - postgresql-devel-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: 17c825cb4f216a4269a521143b9f0e64
SHA-256: 4d7c13d23b751b29b34a3a57128b71fb5a4d7c8cb02fe46ef1304fd724603c51
Size: 1.22 MB - postgresql-docs-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: dad2aade81d8d249b02ecffb60c35d2c
SHA-256: 8482ba451228ba018ee0cd4c18066daf2d499fd583c21851a0d8885f550e66e6
Size: 5.58 MB - postgresql-libs-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: 7757e9abc929d2868c3b5104b4f91f29
SHA-256: 96c896321cbbf7aa3b387d668bd92b823e0d711884f5372b8afe00ecda45fa15
Size: 201.21 kB - postgresql-pl-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: 10af708a02ef54742beeb7ac79192ed2
SHA-256: 93402e075a8ed10ed5af96ffc3e5bbbb1f6d38c42b16c49d0d499ecfa2f112c0
Size: 75.61 kB - postgresql-python-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: 85c93eda667ae20674ca416a08371690
SHA-256: 6a5b9328136e4073d4c49d98686ca2346379abf14484acd4f86256b72f77ad08
Size: 57.19 kB - postgresql-server-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: 287d5d16b211b27bbceea4b8a0e70d44
SHA-256: b07138f10d6c5485ecec4739a3cd54b812ec701009bdab79ab6d2eea21235f0c
Size: 3.98 MB - postgresql-tcl-8.1.23-4.0.1.AXS3.x86_64.rpm
MD5: 616db3683a19eacca0ce4024fbfe3cac
SHA-256: c2d2b0ed8e6215001ee99cbf5af5c58b66d6b3cc4dc16647b06771c426bfdb6e
Size: 85.23 kB