-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Gerfried Fuchs uploaded new packages for postgresql-8.4 which fixed the following security problem:
CVE-2010-3433 The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3433 For the lenny-backports distribution, the problem has been fixed in version 1.8.5-1~bpo50+1. For the current testing (squeeze) and unstable (sid) distributions, the problem has been fixed in version 1.8.5-1. Upgrade instructions - -------------------- If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.debian.org/Instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJMsbXtAAoJEDH85+fdB5Rh/YUH+weHu9IRRcCgBNWc9D9Q+Rlz nRYO00rXmkXwJOukPNermPj5Aq5VeAJbcKtBc1uu8s9SnByxGSDRQYO1kIQM02t/ XGAjLMy4SGirWhJzZ+n/gdUROrUj6Rre6WUcWlYxipEml0Hvtv0RuU/adVKKdMeu kec4zFt/kR7WQZGhaFuFkzfKakced9IjCKkNU6gcVTgcwBADO6GU0czIn5+3SNnd V2rRdkBfsoRg/ZuEAKp0ZOiSQraupK+nnrY/MYe/t5UDCqil0+a/Gqy6BBUxq0KY YLwK445IeBK1x2jrjPtjuiblsm4LtJz/ZbzzXGvVZClbUh5aGBO+Ylyw1mVgJjU= =n9u3 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
