LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
SuSE: PostgreSQL SQL injection attacks Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
SuSE Two character set encoding related security problems were fixed in the PostgreSQL database server: CVE-2006-2313 and CVE-2006-2314.
______________________________________________________________________________

                        SUSE Security Announcement

        Package:                postgresql
        Announcement ID:        SUSE-SA:2006:030
        Date:                   Fri, 09 Jun 2006 16:00:00 +0000
        Affected Products:      SUSE LINUX 10.1
                                SUSE LINUX 10.0
                                SUSE LINUX 9.3
                                SUSE LINUX 9.2
                                SUSE LINUX 9.1
                                SUSE SLES 9
        Vulnerability Type:     remote code execution
        Severity (1-10):        7
        SUSE Default Package:   no
        Cross-References:       CVE-2006-2313, CVE-2006-2314

    Content of This Advisory:
        1) Security Vulnerability Resolved:
             PostgreSQL SQL injection problems due to encoding problems
           Problem Description
        2) Solution or Work-Around
        3) Special Instructions and Notes
        4) Package Location and Checksums
        5) Pending Vulnerabilities, Solutions, and Work-Arounds:
            See SUSE Security Summary Report.
        6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

   Two character set encoding related security problems were fixed in the
   PostgreSQL database server:

   CVE-2006-2313:
       Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling
       of invalidly-encoded multibyte text data. If a client application
       processed untrusted input without respecting its encoding and
       applied standard string escaping techniques (such as replacing a
       single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server
       could interpret the resulting string in a way that allowed an
       attacker to inject arbitrary SQL commands into the resulting SQL
       query. The PostgreSQL server has been modified to reject such
       invalidly encoded strings now, which completely fixes the problem
       for some 'safe' multibyte encodings like UTF-8.

   CVE-2006-2314:
       However, there are some less popular and client-only multibyte
       encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which
       contain valid multibyte characters that end with the byte 0x5c,
       which is the representation of the backslash character >>\<< in
       ASCII. Many client libraries and applications use the non-standard,
       but popular way of escaping the >>'<< character by replacing all
       occurrences of it with >>\'<<. If a client application uses one of
       the affected encodings and does not interpret multibyte characters,
       and an attacker supplies a specially crafted byte sequence as an
       input string parameter, this escaping method would then produce a
       validly-encoded character and an excess >>'<< character which would
       end the string. All subsequent characters would then be interpreted
       as SQL code, so the attacker could execute arbitrary SQL commands.

       To fix this vulnerability end-to-end, client-side applications
       must be fixed to properly interpret multibyte encodings and use
       >>''<< instead of >>\'<<. However, as a precautionary measure,
       the sequence >>\'<< is now regarded as invalid when one of the
       affected client encodings is in use. If you depend on the previous
       behavior, you can restore it by setting 'backslash_quote = on'
       in postgresql.conf.  However, please be aware that this could
       render you vulnerable again.

       This issue does not affect you if you only use single-byte (like
       SQL_ASCII or the ISO-8859-X family) or unaffected multibyte
       (like UTF-8) encodings.

   Please see http://www.postgresql.org/docs/techdocs.50 for further
   details.

   Unfortunately we are not yet able to provide back ported patches for
   the PostgreSQL included in SUSE Linux Enterprise Server 8 at this
   time. We are working on a solution for this problem.

2) Solution or Work-Around

   There is no known workaround, please install the update packages.

3) Special Instructions and Notes

   If you are running a PostgreSQL server please make sure that it
   is stopped or at least doesn't have any client connections during
   the update.

   If you are running or using a PostgreSQL server please carefully follow
   the instructions in /usr/share/doc/packages/postgresql/SECURITY-NOTICE
   to complete this security update

4) Package Location and Checksums

   The preferred method for installing security updates is to use the YaST
   Online Update (YOU) tool. YOU detects which updates are required and
   automatically performs the necessary steps to verify and install them.
   Alternatively, download the update packages for your distribution manually
   and verify their integrity by the methods listed in Section 6 of this
   announcement. Then install the packages using the command

     rpm -Fhv 

   to apply the update, replacing  with the filename of the
   downloaded RPM package.


   x86 Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-8.1.4-1.2.i586.rpm
          8fb5e2f12fb4db3b468a735be55902bc
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-contrib-8.1.4-1.2.i586.rpm
          fd229189b9b93d90cf223fbe29ecf937
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-devel-8.1.4-1.2.i586.rpm
          278a5823adcc686131b55cad9984f34c
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-docs-8.1.4-1.2.i586.rpm
          a91427f863badb6edc03ae27b3e5f15e
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-libs-8.1.4-1.2.i586.rpm
          ea7ce106f0bc482469e96e27b8e544bc
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-pl-8.1.4-1.2.i586.rpm
          56a69980760509bb49de4868315d5baa
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/postgresql-server-8.1.4-1.2.i586.rpm
          ed388e0c0a524559d13050eb1dfdc9c1

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-8.0.8-0.2.i586.rpm
          923404a774e7cabec9df64c62da88a27
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-contrib-8.0.8-0.2.i586.rpm
          85b25723f9d67a70b04e0ce3811cc85c
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-devel-8.0.8-0.2.i586.rpm
          50e5a977ed8b9120768bc5e603961f98
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-docs-8.0.8-0.2.i586.rpm
          e45faf70ef7def2aade7b94ba89bd864
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-libs-8.0.8-0.2.i586.rpm
          36b5719ca00eaf3cddb4c2d506d1d2fa
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-pl-8.0.8-0.2.i586.rpm
          318081f3601d5f7baf872c94b104b2fc
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/postgresql-server-8.0.8-0.2.i586.rpm
          05d154dcc296a9c7e956e9138a312108

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-8.0.8-0.2.i586.rpm
          a260aec2aef3ea77694a76a0201044ae
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-contrib-8.0.8-0.2.i586.rpm
          37b5114bbbb78f6e80ffb1b89401e8da
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-devel-8.0.8-0.2.i586.rpm
          a61d1e17cd2ccc61f6b4975520ab7e9f
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-docs-8.0.8-0.2.i586.rpm
          841b0470d29b9170b18bbfbaafe41435
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-libs-8.0.8-0.2.i586.rpm
          78ef824e90a62d24d6bb2deaa9b74ab9
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-pl-8.0.8-0.2.i586.rpm
          733a5aa1b89477c2011910d0fa72e166
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/postgresql-server-8.0.8-0.2.i586.rpm
          f688fedcc332b893e0ac9e5154d977c1

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-7.4.13-0.2.i586.rpm
          ea88d118184c182bfacb7544d48f34c6
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-contrib-7.4.13-0.2.i586.rpm
          ce7b90c42fb477b97c0dbc64c147b5e0
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-devel-7.4.13-0.2.i586.rpm
          1bcfeb756fe5c5d5e347a5ff4ccf84fe
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-docs-7.4.13-0.2.i586.rpm
          890c3a7ced118229ec9bc640cb057800
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-libs-7.4.13-0.2.i586.rpm
          b7ec99237d6fe4e8682c78f7a8bcdb63
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-pl-7.4.13-0.2.i586.rpm
          96a4e10fee0a465819a07ee2e89b03e2
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postgresql-server-7.4.13-0.2.i586.rpm
          5ca65525e7d340e4e98a3a59dac1cbe3

   SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-7.4.13-0.4.i586.rpm
          34eed42fd77148c86ec86c086a18af0d
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-contrib-7.4.13-0.4.i586.rpm
          e05064dbdfba0a0a0ca43b745f2a6402
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-devel-7.4.13-0.4.i586.rpm
          8ecb634c77035ccac12cee347c632f99
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-docs-7.4.13-0.4.i586.rpm
          f3ac880c647474f1bee6c72fec75b550
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-libs-7.4.13-0.4.i586.rpm
          92e1ed36148af0b98691296b5f20074d
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-pl-7.4.13-0.4.i586.rpm
          76c494f41f4cc6d31d181c0d672b85db
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/postgresql-server-7.4.13-0.4.i586.rpm
          77dddc495feae1c6b0f926b0169585af
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/postgresql-libs-32bit-9.1-200605310116.i586.rpm
          e1def686b4da15034ecdba05ae52d317

   Power PC Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-8.1.4-1.2.ppc.rpm
          20bf4b672950391a885c39647be3fd29
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-contrib-8.1.4-1.2.ppc.rpm
          a438d0c348de0e2352a24ba34f1b3efd
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-devel-8.1.4-1.2.ppc.rpm
          a24d09f29f4dc635420a4cf44d01de7a
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-docs-8.1.4-1.2.ppc.rpm
          733ebb4b98b47c4ae645b2a6d3f5f127
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-64bit-8.1.4-1.2.ppc.rpm
          2e2a884eb58f654bad8b4986f8347d63
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-libs-8.1.4-1.2.ppc.rpm
          afb35a53b9dad8e2b7f193eb59265c94
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-pl-8.1.4-1.2.ppc.rpm
          e26756896b6023f3b7a56edf504508e0
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/postgresql-server-8.1.4-1.2.ppc.rpm
          3e7b5e34ab551a15adf87a4533f71919

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-8.0.8-0.2.ppc.rpm
          1f0d19658278ce363a02f34c8408badc
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-contrib-8.0.8-0.2.ppc.rpm
          ab128f5681367e3260f28007f1eb223b
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-devel-8.0.8-0.2.ppc.rpm
          4934796258b5095bde35d82dcce8400e
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-docs-8.0.8-0.2.ppc.rpm
          c6ed5f891260a707ff34d2c0d6bc8dd5
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-64bit-8.0.8-0.2.ppc.rpm
          11eae2961bc6806c81144f980cf47c26
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-libs-8.0.8-0.2.ppc.rpm
          84d1d74b1be2fa9bc3814347e48d666a
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-pl-8.0.8-0.2.ppc.rpm
          7c2091e7324d055d584d18de5d016b02
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/postgresql-server-8.0.8-0.2.ppc.rpm
          565f8479ac8b992cc6dee514d009c6a0

   ppc64:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc64/postgresql-8.1.4-1.2.ppc64.rpm
          eaaea2f30a115beed208a33fb7985319

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc64/postgresql-8.0.8-0.2.ppc64.rpm
          a16b451535c8a819814fc0081a6a3855

   x86-64 Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-8.1.4-1.2.x86_64.rpm
          7037db2dbb3d7d251f74a383a8779ebd
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-contrib-8.1.4-1.2.x86_64.rpm
          efc0a6e5c729fa83995b24ac9cb248de
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-devel-8.1.4-1.2.x86_64.rpm
          dba4d4671e306ea3f610576b8e455152
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-docs-8.1.4-1.2.x86_64.rpm
          ad4d0ceb06de8f4a66506ce8822752f9
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-32bit-8.1.4-1.2.x86_64.rpm
          4ee45efb63361bba98e6d65d07187afa
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-libs-8.1.4-1.2.x86_64.rpm
          c5a016add913fdaad2b5157d705e3fe4
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-pl-8.1.4-1.2.x86_64.rpm
          109a82fdb9ba89bd72323906d03ef0a8
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/postgresql-server-8.1.4-1.2.x86_64.rpm
          e2100dbf6917d14f375d7860275d35e5

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-8.0.8-0.2.x86_64.rpm
          aeae0da5a394b4c24d8cda8560f18dbb
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-contrib-8.0.8-0.2.x86_64.rpm
          10e6615d3c4648b9cc9d0c69e10a5e23
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-devel-8.0.8-0.2.x86_64.rpm
          42fa8a74543ba2dc5983829e87f9cf03
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-docs-8.0.8-0.2.x86_64.rpm
          f39ed20c68895151c7540224bfa733e5
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-32bit-8.0.8-0.2.x86_64.rpm
          694a1886b2d287fe91b7182d5d9a6cd2
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-libs-8.0.8-0.2.x86_64.rpm
          07a3202ef0840ebd64c797570ad37959
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-pl-8.0.8-0.2.x86_64.rpm
          d16750bdb4d6c7c8c9a4d770db05224f
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/postgresql-server-8.0.8-0.2.x86_64.rpm
          f16b518aa08e10c7afea31b294cfc778

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-8.0.8-0.2.x86_64.rpm
          3e1d2b7a5f48312f45629ef1e2aca09e
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-contrib-8.0.8-0.2.x86_64.rpm
          c93b8d25d8c1c8d3ff71330148b0bfe1
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-devel-8.0.8-0.2.x86_64.rpm
          7282ec73b022c0a64df4131449ffa03e
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-docs-8.0.8-0.2.x86_64.rpm
          6555bbcb2dece1509ce34689e6866089
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-32bit-9.3-7.3.x86_64.rpm
          b3bb611cbe68ca215f5dddad9c5427a6
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-libs-8.0.8-0.2.x86_64.rpm
          01e3fa4fe1de5c07c923f86b8b6edfe1
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-pl-8.0.8-0.2.x86_64.rpm
          b19f8062671374939259f1a283736622
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/postgresql-server-8.0.8-0.2.x86_64.rpm
          691e3d79c8fd58acd3e754b3ac3085b1

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-7.4.13-0.2.x86_64.rpm
          e4b11cc66197cf5f186f07ee9928e66e
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-contrib-7.4.13-0.2.x86_64.rpm
          c6b41d5cbf22749909f787a4618037da
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-devel-7.4.13-0.2.x86_64.rpm
          1f0119c73b50f3a5da6d31e2eea35369
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-docs-7.4.13-0.2.x86_64.rpm
          9a8f7959d081395e312ca02a8a7a5fc3
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-32bit-9.2-200605301412.x86_64.rpm
          2ddf607af4ce09f4269cbca02ec03a7d
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-libs-7.4.13-0.2.x86_64.rpm
          272ef016cd23ae673b803b5767a1554c
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-pl-7.4.13-0.2.x86_64.rpm
          51523699fb995488a1dbded7eb5fe2cc
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/postgresql-server-7.4.13-0.2.x86_64.rpm
          897a20ab9ea122d43f89567e485ff500

   SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-7.4.13-0.4.x86_64.rpm
          a38b622178a32cdd06233c842327295d
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-contrib-7.4.13-0.4.x86_64.rpm
          085aab7d5729e3f27dbab7fb9e420254
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-devel-7.4.13-0.4.x86_64.rpm
          4691be0aa24c42eeaa50c092353bd6f4
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-docs-7.4.13-0.4.x86_64.rpm
          5bc0a01514247c29c765b3c8938c795d
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-libs-7.4.13-0.4.x86_64.rpm
          c12dc2877ec65c6a3f988b51157b5ab7
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-pl-7.4.13-0.4.x86_64.rpm
          83fa45b8a322910a38f071e9bd0d9031
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/postgresql-server-7.4.13-0.4.x86_64.rpm
          79ad3926185107da714ab3754aa889e7

   Sources:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-8.1.4-1.2.src.rpm
          44f36fd35b82cea18e01a4fe667ad40d
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/postgresql-pl-8.1.4-1.2.nosrc.rpm
          f189f8e0fca64e0e3991c7d4f928327f

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-8.0.8-0.2.src.rpm
          361ca18474faf36146a84236618afaf2
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/postgresql-pl-8.0.8-0.2.nosrc.rpm
          5a7a5a8af3c4bc930300c908413d8fe0

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-8.0.8-0.2.src.rpm
          384b25b835cfd3990395967571ae2b05
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/postgresql-pl-8.0.8-0.2.nosrc.rpm
          a1155e3cadf7907178c57fc20a3b2aa1

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-7.4.13-0.2.src.rpm
          186111c9f577a1583725aef28da96636
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/postgresql-pl-7.4.13-0.2.nosrc.rpm
          fb124cb2d1424d21035040847423e7b6

   SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-7.4.13-0.4.src.rpm
          7a76decace79f6dcb7d183f461626b2e
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/postgresql-pl-7.4.13-0.4.nosrc.rpm
          4739e9d6fee0bee6934be76870d4ce51
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-7.4.13-0.4.src.rpm
          7fadd3d1bed3c30759d94af7cd924800
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/postgresql-pl-7.4.13-0.4.nosrc.rpm
          a357ff94aec54e5ebb08c7fd758fbdeb

   Our maintenance customers are notified individually. The packages are
   offered for installation from the maintenance web:

   SUSE SLES 9
     http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/da59db7f50aac32f6bd1b258f6e09652.html

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

   See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify 

    replacing  with the name of the file where you saved the
    announcement. The output for a valid signature looks like:

      gpg: Signature made  using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team "

    where  is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and the integrity of
    a package needs to be verified to ensure that it has not been tampered
    with.

    There are two verification methods that can be used independently from
    each other to prove the authenticity of a downloaded file or RPM package:

    1) Using the internal gpg signatures of the rpm package
    2) MD5 checksums as provided in this announcement

    1) The internal rpm package signatures provide an easy way to verify the
       authenticity of an RPM package. Use the command

        rpm -v --checksig 

       to verify the signature of the package, replacing  with the
       filename of the RPM package downloaded. The package is unmodified if it
       contains a valid signature from build@suse.de with the key ID 9C800ACA.

       This key is automatically imported into the RPM database (on
       RPMv4-based distributions) and the gpg key ring of 'root' during
       installation. You can also find it on the first installation CD and at
       the end of this announcement.

    2) If you need an alternative means of verification, use the md5sum
       command to verify the authenticity of the packages. Execute the command

         md5sum 

       after you downloaded the file from a SUSE FTP server or its mirrors.
       Then compare the resulting md5sum with the one that is listed in the
       SUSE security announcement. Because the announcement containing the
       checksums is cryptographically signed (by security@suse.de), the
       checksums show proof of the authenticity of the package if the
       signature of the announcement is valid. Note that the md5 sums
       published in the SUSE Security Announcements are valid for the
       respective packages only. Newer versions of these packages cannot be
       verified.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    suse-security-announce@suse.com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    For general information or the frequently asked questions (FAQ),
    send mail to  or
    .

    =====================================================================
    SUSE's security contact is  or .
    The  public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular, the
    clear text signature should show proof of the authenticity of the text.

    SUSE Linux Products GmbH provides no warranties of any kind whatsoever
    with respect to the information contained in this security advisory.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Mobile Device Encryption Could Lead to a ‘Very, Very Dark Place’, FBI Director Says
What a hacker can learn about your life from the coffee shop’s Wi-Fi network
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.