Bug 24285 - CVE-2010-3433: unauthorized privilege escalation
Summary: CVE-2010-3433: unauthorized privilege escalation
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: postgresql8.4 (show other bugs)
Version: unstable
Hardware: all Linux
: P3 blocker
Assignee: Denis Smirnov
QA Contact: qa-sisyphus
URL: http://www.postgresql.org/support/sec...
Keywords: security
Depends on:
Blocks:
 
Reported: 2010-10-13 10:25 MSD by Vladimir Lettiev
Modified: 2010-10-25 17:15 MSD (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2010-10-13 10:25:26 MSD 
CVE-2010-3433: An authenticated database user can manipulate modules and tied variables in some external procedural languages to execute code with enhanced privileges.

Fixed in 8.4.5

P.S. Версии 8.3.x 8.2.x также уязвимы (+ ещё 3 CVE). Имеет ли смысл на них вешать или они больше никогда не будут обновляться?
Comment 1 Repository Robot 2010-10-25 17:15:24 MSD 
postgresql8.4-8.4.5-alt2 -> sisyphus:

* Tue Oct 19 2010 Vladimir V. Kamarzin <vvk@altlinux> 8.4.5-alt2
- Rebuild for Sisyphus (Closes: #24285).
- Run chroot script only when upgrading package.
- Avoid leaving unowned directories after package uninstall.

* Thu Oct 07 2010 Konstantin Pavlov <thresh@altlinux> 8.4.5-alt1
- 8.4.5 release (fixes CVE-2010-3433).