Mandriva Linux Security Advisory : postgresql (MDVSA-2012:092)
Medium Nessus Plugin ID 59518
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities has been discovered and corrected in postgresql :
Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer). If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated (CVE-2012-2143).
Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane). Applying such attributes to a call handler could crash the server (CVE-2012-2655).
This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.
SolutionUpdate the affected packages.