About Ubuntu

=========================================================== Ubuntu Security Notice USN-369-2 November 01, 2006 postgresql-8.1 vulnerabilities CVE-2006-5540, CVE-2006-5541, CVE-2006-5542 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: postgresql-8.1 8.1.4-7ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-369-1 fixed three minor PostgreSQL 8.1 vulnerabilities for Ubuntu 6.06 LTS. This update provides the corresponding update for Ubuntu 6.10. Original advisory details: Michael Fuhr discovered an incorrect type check when handling unknown literals. By attempting to coerce such a literal to the ANYARRAY type, a local authenticated attacker could cause a server crash. (CVE-2006-5541) Josh Drake and Alvaro Herrera reported a crash when using aggregate functions in UPDATE statements. A local authenticated attacker could exploit this to crash the server backend. This update disables this construct, since it is not very well defined and forbidden by the SQL standard. (CVE-2006-5540) Sergey Koposov discovered a flaw in the duration logging. This could cause a server crash under certain circumstances. (CVE-2006-5542) Please note that these flaws can usually not be exploited through web and other applications that use a database and are exposed to untrusted input, so these flaws do not pose a threat in usual setups.