Bug 24285

Summary: CVE-2010-3433: unauthorized privilege escalation
Product: Sisyphus Reporter: Vladimir Lettiev <crux>
Component: postgresql8.4Assignee: Denis Smirnov <mithraen>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: blocker    
Priority: P3 CC: misha, vvk
Version: unstableKeywords: security
Hardware: all   
OS: Linux   
URL: http://www.postgresql.org/support/security.html

Description Vladimir Lettiev 2010-10-13 10:25:26 MSD 
CVE-2010-3433: An authenticated database user can manipulate modules and tied variables in some external procedural languages to execute code with enhanced privileges.

Fixed in 8.4.5

P.S. Версии 8.3.x 8.2.x также уязвимы (+ ещё 3 CVE). Имеет ли смысл на них вешать или они больше никогда не будут обновляться?
Comment 1 Repository Robot 2010-10-25 17:15:24 MSD 
postgresql8.4-8.4.5-alt2 -> sisyphus:

* Tue Oct 19 2010 Vladimir V. Kamarzin <vvk@altlinux> 8.4.5-alt2
- Rebuild for Sisyphus (Closes: #24285).
- Run chroot script only when upgrading package.
- Avoid leaving unowned directories after package uninstall.

* Thu Oct 07 2010 Konstantin Pavlov <thresh@altlinux> 8.4.5-alt1
- 8.4.5 release (fixes CVE-2010-3433).