[ubuntu/quantal] postgresql-9.1 9.1.5-1 (Accepted)
Martin Pitt
martin.pitt at ubuntu.com
Sun Aug 19 09:39:14 UTC 2012
postgresql-9.1 (9.1.5-1) unstable; urgency=medium
* Urgency medium due to security fixes and bug fixes which should reach
Wheezy quickly.
* New upstream bug fix/security release:
- Prevent access to external files/URLs via XML entity references.
xml_parse() would attempt to fetch external files or URLs as needed
to resolve DTD and entity references in an XML value, thus allowing
unprivileged database users to attempt to fetch data with the
privileges of the database server. While the external data wouldn't
get returned directly to the user, portions of it could be exposed
in error messages if the data didn't parse as valid XML; and in any
case the mere ability to check existence of a file might be useful
to an attacker. (CVE-2012-3489)
- Prevent access to external files/URLs via "contrib/xml2"'s
xslt_process().
libxslt offers the ability to read and write both files and URLs
through stylesheet commands, thus allowing unprivileged database
users to both read and write data with the privileges of the
database server. Disable that through proper use of libxslt's
security options. (CVE-2012-3488)
Also, remove xslt_process()'s ability to fetch documents and
stylesheets from external files/URLs. While this was a documented
"feature", it was long regarded as a bad idea. The fix for
CVE-2012-3489 broke that capability, and rather than expend effort
on trying to fix it, we're just going to summarily remove it.
- Lots of other bug fixes, see HISTORY/changelog.gz.
Date: 2012-08-18 23:02:12.908657+00:00
Signed-By: Martin Pitt <martin.pitt at ubuntu.com>
https://launchpad.net/ubuntu/quantal/+source/postgresql-9.1/9.1.5-1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Quantal-changes
mailing list