New bug fix releases: 8.3.19, 8.4.12, 9.1.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postgresql-8.3 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
postgresql-8.4 (Ubuntu) |
Invalid
|
Undecided
|
Martin Pitt | ||
Lucid |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Natty |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
postgresql-9.1 (Ubuntu) |
Fix Released
|
Undecided
|
Martin Pitt | ||
Oneiric |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Quantal |
Fix Released
|
Undecided
|
Martin Pitt |
Bug Description
PostgreSQL will push out new microreleases today which also fix two security issues.
-------
This update includes two security fixes for the following issues:
- CVE-2012-2143 <http://
Fix incorrect password transformation in contrib/pgcrypto’s DES crypt()
function
This vulnerability affects PostgreSQL users who use the crypt(text,
text) function (in the optional pg_crypto module) with DES encryption
and non-ASCII passwords. Passwords affected are those that contain the
byte value 0x80. Characters after such a byte were ignored, making the
effective password shorter and easier to crack than it should be. After
the upgrade, any passwords containing such bytes will need to be
regenerated.
- CVE-2012-2655 <http://
Ignore SECURITY DEFINER and SET attributes for a procedural language’s call
handler
Applying such attributes to a call handler could crash the server.
-------
This fixes a security issue and several bugs, as usual. As per the standing microrelease exception these should go into stables.
Changed in postgresql-9.1 (Ubuntu): | |
assignee: | nobody → Martin Pitt (pitti) |
Changed in postgresql-8.4 (Ubuntu): | |
assignee: | nobody → Martin Pitt (pitti) |
no longer affects: | postgresql-8.3 (Ubuntu Lucid) |
no longer affects: | postgresql-9.1 (Ubuntu Hardy) |
no longer affects: | postgresql-8.3 (Ubuntu Quantal) |
no longer affects: | postgresql-9.1 (Ubuntu Lucid) |
no longer affects: | postgresql-8.3 (Ubuntu Natty) |
no longer affects: | postgresql-9.1 (Ubuntu Natty) |
no longer affects: | postgresql-8.3 (Ubuntu Oneiric) |
no longer affects: | postgresql-8.4 (Ubuntu Quantal) |
no longer affects: | postgresql-8.3 (Ubuntu Precise) |
Changed in postgresql-8.3 (Ubuntu): | |
status: | New → Invalid |
no longer affects: | postgresql-8.4 (Ubuntu Hardy) |
Changed in postgresql-8.4 (Ubuntu): | |
status: | New → Invalid |
no longer affects: | postgresql-8.4 (Ubuntu Precise) |
no longer affects: | postgresql-8.4 (Ubuntu Oneiric) |
summary: |
- New bug fix releases: 9.1.4, 8.4.12 + New bug fix releases: 8.3.19, 9.1.4, 8.4.12 |
summary: |
- New bug fix releases: 8.3.19, 9.1.4, 8.4.12 + New bug fix releases: 8.3.19, 8.4.12, 9.1.4 |
postgresql-9.1 update for Quantal will be uploaded to Debian sid and autosynced.