Re: [SECURITY] [DSA 2340-1] postgresql security update missing for squeeze

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 2340-1] postgresql security update missing for squeeze
From: Jan Kechel <jan@kechel.de>
Date: Tue, 08 Nov 2011 00:16:36 +0000
Message-id: <[🔎] 4EB874E4.3030806@kechel.de>
In-reply-to: <20111107194912.380AA5A0B7@kinkhorst.com>
References: <20111107194912.380AA5A0B7@kinkhorst.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Why is there no security update for postgresql-9.0 on squeeze?

.. just wondered why my cron-apt didn't report any postgresql updates
today. My security.sources.list is

deb http://security.debian.org/ squeeze/updates main contrib non-free

on Debian squeeze with postgresql-9.0 installed:

i   postgresql-9.0

cu,

jan

On 11/07/2011 07:49 PM, Thijs Kinkhorst wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-2340-1                   security@debian.org
> http://www.debian.org/security/                           Thijs Kinkhorst
> November 7, 2011                       http://www.debian.org/security/faq
> -------------------------------------------------------------------------
> 
> Package        : postgresql-8.3, postgresql-8.4, postgresql-9.0
> Vulnerability  : weak password hashing
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CVE-2011-2483 
> Debian Bug     : 631285
> 
> magnum discovered that the blowfish password hashing used amongst
> others in PostgreSQL contained a weakness that would give passwords
> with 8 bit characters the same hash as weaker equivalents.
> 
> For the oldstable distribution (lenny), this problem has been fixed in
> postgresql-8.3 version 8.3.16-0lenny1.
> 
> For the stable distribution (squeeze), this problem has been fixed in
> postgresql-8.4 version 8.4.9-0squeeze1.
> 
> For the testing distribution (wheezy) and unstable distribution (sid),
> this problem has been fixed in postgresql-8.4 version 8.4.9-1,
> postgresql-9.0 9.0.5-1 and postgresql-9.1 9.1~rc1-1.
> 
> The updates also include reliability improvements, originally scheduled
> for inclusion into the next point release; for details see the respective
> changelogs.
> 
> We recommend that you upgrade your postgresql packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAwAGBQJOuHTjAAoJEI0XMg7eH/Qc6PYQAKN6+NHDrJM6mRZV+qUptHQO
0ERQvdUH3Z35O/wSe7aBi1nRMnsVJ1ryDx3PBkQFtNGs3re8C0uvfUMEbLlyFwM6
Nxf+HjR7UM135q2sQsImznbyhjwqRCJ4ET6fuKQvcC0vcjoC/ZOhwcxvXDEwL51k
zXEvxWbfPoh8FVX9KogvSoV3jjGieSDatOvvwxx5PZ9Dg+nHcrAHWWpjuMElvm8t
TI5f8taZGV6lg4lcBm6nDC0YAaOs1ayo43AOdQdccuVceDt/jYjsioj/irreF2Kx
33OCYSwZDpEVzIb+c2ZVZwnXcR4c/xmleq6AkU08zleLmtzjUtOly4uXZvMj174l
axDa/l57ryQT2gpsmXDKFb4Ni4he/Ti9bSUzdflcKkxtj9BIw9kKT1/R0Afp4dYp
kbUMMl5n0/LczCvBdwGNiVGumTM9sMRZRSlXmaSnqGfZiEW/nR23rPI1DrNfgPnr
x6wjnCtYDrTFsuDGGCpnwddY4HzuvA0wVJnTsef4vx57jYp4pXi1zTbajtWWGMLK
KAM5O06iA4fHkQ8hDPbgu2ykFwGDZUh8QQC1UauFF0f1c+KAdbMjpwQWGQZDvQwW
CkX4g3NyYT6jvwx/o9sHWPKcB/OVVm56eFP0LQlYmMCfi4QPRJ9GMFSDsNNWr9p4
o9elqdCyulRTTj6R1sNK
=3NKN
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 2340-1] postgresql security update missing for squeeze
  - From: Paul Staroch <paulchen@rueckgr.at>
- Re: [SECURITY] [DSA 2340-1] postgresql security update missing for squeeze
  - From: Dagan <mail.list@pro.geek.nz>

Prev by Date: Re: [#29463] [SECURITY] [DSA 2337-1] xen security update
Next by Date: Re: [SECURITY] [DSA 2340-1] postgresql security update missing for squeeze
Previous by thread: Re: [SECURITY] [DSA 2340-1] postgresql security update
Next by thread: Re: [SECURITY] [DSA 2340-1] postgresql security update missing for squeeze
Index(es):
- Date
- Thread