postgresql-8.4.13-1.0.1.AXS4
エラータID: AXSA:2012-987:03
リリース日:
2012/12/11 Tuesday - 12:56
題名:
postgresql-8.4.13-1.0.1.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQL の contrib/xml2 の libxslt サポートが適切にファイルや URL へのアクセスを制限しておらず,(1) libxslt セキュリティオプションによって許可されたスタイルシートコマンドあるいは (2) xslt_process 機能を利用し,リモートの認証されたユーザがデータを変更したり,機密情報を得たり,任意の外のホストへの外向きのトラフィックを引き起こしたりする問題を修正しました。(CVE-2012-3488)
- PostgreSQL のコアサーバコンポーネントの libxml2 サポートの xml_parse 関数は (1) DTD あるいは (2) エンティティを参照する XML の値によって,認証されたユーザが任意のファイルあるいは URL の存在を特定し,パースエラーを引き起こすファイルあるいは URL の内容を取得する可能性のある
脆弱性があります。(CVE-2012-3489)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2012-3488
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
CVE-2012-3489
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
追加情報:
N/A
ダウンロード:
SRPMS
- postgresql-8.4.13-1.0.1.AXS4.src.rpm
MD5: bc63269fce1537e0ca3a16e63338e7fe
SHA-256: 1a5c658d50c48794abb45ccbfa6188ea075db355d5498f0ed573e3bc63f8b615
Size: 20.51 MB
Asianux Server 4 for x86
- postgresql-8.4.13-1.0.1.AXS4.i686.rpm
MD5: be85b15498d7294a7367b9767550e969
SHA-256: 3c1f0c22d337ba8746f8fea6016510470aa589c0a53cbbdc879283ec9b514568
Size: 2.76 MB - postgresql-contrib-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 765c06c9b05060699a542a2bb61f261b
SHA-256: 93d3620a27dfd674920a3c0053bf4a80c32043807a76b83735ce1d309138be37
Size: 347.86 kB - postgresql-devel-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 8c164448fb91ea0e6ed92b992e2d9351
SHA-256: fc71a0f14cb8578ba9e9724740fbcfffc8057129fce92fc95936ced828507784
Size: 807.53 kB - postgresql-docs-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 01057d9e55f7880a71f1b3d8a23de725
SHA-256: e2836cb26b425766ddff73e041fd2ee8d004ffe9ee0aeb84fc5ba422b8a43123
Size: 6.10 MB - postgresql-libs-8.4.13-1.0.1.AXS4.i686.rpm
MD5: dfa3ef3089ebda5fb4b63421a1d07855
SHA-256: c2949d100b4a5c808414a0b74b2fe0c98df306bf0f627390de59ed3d61f4df4a
Size: 203.41 kB - postgresql-plperl-8.4.13-1.0.1.AXS4.i686.rpm
MD5: fd21c5bbb4ec6976ca73302a2075da8e
SHA-256: cdaa369cddff1fea963a78916f15ccad196319d795e65de9e0c169ceade8ca4f
Size: 55.41 kB - postgresql-plpython-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 45c08541b569664d6cceefe881ff39ab
SHA-256: 90ad6c0310b4557bb647beb0ab3e38b14f98d658573ba3e694d307de4e21f8ef
Size: 56.51 kB - postgresql-pltcl-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 08e0757a8f0d8096218b226a3d8dae97
SHA-256: 2832bf88a9ac2d4341a61509ce59e8906514df0f639009d7ca7f2f2384a02a44
Size: 44.70 kB - postgresql-server-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 7674b76acbfc8c33050efdb9109b9941
SHA-256: aeacd3092dd19b4cc39dcc1dcd50314819a031061e37213cdacfb924601a2d0a
Size: 3.37 MB - postgresql-test-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 9cd6095f868b5ab7994249fb96a0c65a
SHA-256: 97465e4fd42134596316e55406637f0b08482dcb69d2d57e6b834bcbe00a0b52
Size: 1.11 MB
Asianux Server 4 for x86_64
- postgresql-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: 4eff2004be6ed960056a234aa5231b5b
SHA-256: 201fe80a964051ff16abb3ac93ffccb76f7e7c87142bc199e926eb4d29799479
Size: 2.76 MB - postgresql-contrib-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: 0c1ad9e7fe006dddd8b392a8777dba6a
SHA-256: 999b2cb94d8904a98f07f6ed32e47e601df115bb70a47dffcaf3e8e94dc6707e
Size: 351.63 kB - postgresql-devel-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: ac937b9a88bfd7784743f85dd91d59ee
SHA-256: 2bce2a21a1232a8f5353ee56b6c20b2487abd1193b48ffc09528299edb8a7a72
Size: 812.13 kB - postgresql-docs-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: be0e4d37d1d96589b38dbb74d6c2ec61
SHA-256: ce2475618477608ec2b58f52839dc26be7883b245c05e6e3eba5099c499b3206
Size: 6.10 MB - postgresql-libs-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: 2807f9eb10833f12ef2864d8ae4fda4a
SHA-256: 529495d010ff4451b9490074c80f889a51c0d11fccd4ef332588dc489c9a750c
Size: 199.40 kB - postgresql-plperl-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: c9bf98e6e0e4b6c076b0ba544f9f4d7e
SHA-256: 95088437d427fe4e05c1aa642b2f3c55f3ebc20eac67fb83951f1b15a1eb956b
Size: 55.27 kB - postgresql-plpython-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: 6d515293c8ce5de735b557fde2b7bfe8
SHA-256: a54131c1751612cadd9924abc45688ea870953db2896d7c5064998d89e14ed79
Size: 57.27 kB - postgresql-pltcl-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: d7493953e2f5f162f462b78875f8beaf
SHA-256: 879f4f4dca91ac94d995eb212862985f3a634a991d57ca3210d4e2b8b948180a
Size: 44.47 kB - postgresql-server-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: b7202775e09776cd718dc36276465a5e
SHA-256: bc53e7c1582cfa2fe1d59297f9f398ec59112964e2eb5dc51a4fc35049a35db3
Size: 3.41 MB - postgresql-test-8.4.13-1.0.1.AXS4.x86_64.rpm
MD5: 27c5f706062c2f7693cf42c1e23d6f53
SHA-256: 32cb657cc6c3d60958caab7cc8ddcae97e7ad90f8cd7e062d256c7d4cdf37302
Size: 1.11 MB - postgresql-8.4.13-1.0.1.AXS4.i686.rpm
MD5: be85b15498d7294a7367b9767550e969
SHA-256: 3c1f0c22d337ba8746f8fea6016510470aa589c0a53cbbdc879283ec9b514568
Size: 2.76 MB - postgresql-devel-8.4.13-1.0.1.AXS4.i686.rpm
MD5: 8c164448fb91ea0e6ed92b992e2d9351
SHA-256: fc71a0f14cb8578ba9e9724740fbcfffc8057129fce92fc95936ced828507784
Size: 807.53 kB - postgresql-libs-8.4.13-1.0.1.AXS4.i686.rpm
MD5: dfa3ef3089ebda5fb4b63421a1d07855
SHA-256: c2949d100b4a5c808414a0b74b2fe0c98df306bf0f627390de59ed3d61f4df4a
Size: 203.41 kB