June 14, 2021

Apple releases OS X Server v2.1.1 to fix problems in PostgreSQL & Jabber

(LiveHacking.Com) – Apple has released OS X Server v2.1.1 to address multiple vulnerabilities in PostgreSQL and fix an issue with the Jabber server’s handling of dialback result messages. Before Mac OS X 10.7, Apple sold a separate server edition of OS X, but now it is a separate set of server add-ons which can be bought directly from Apple’s online Mac App Store. OS X Server 2.1.1 is an update of that add-on component.

OS X Server adds the following capabilities to OS X: File sharing for Mac, PC, and iPad; Wiki Server; Profile Manager; Provide a Time Machine backup destination for Mac computers on your network; Standards-based SMTP, IMAP, and POP server; Calendar Server; Contacts Server; Messages Server; Encrypted VPN connections for Mac, iPad, iPhone, and PC; and Xsan

PostgreSQL has been updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html.

Messages Server
An issue existed in the Jabber server’s handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages.

From a security standpoint, OS X Server v2.1.1 includes the security updates of OS X Mountain Lion v10.8.2.

What’s New in Version 2.1.1

  • Managing DHCP service from within the Server application
  • iOS 6 device management support in Profile Manager
  • Using the Server application to create a large number of users or groups
  • Authenticating with Calendar Server when using an Active Directory account
  • Renewing certificates for use with the Apple Push Notification Service
  • Configuring DNS entries with second level domains and aliases
  • Retaining network, DNS and PHP settings installing or upgrading OS X Server
  • Migrating from Lion Server and Snow Leopard Server

New Security Updates For All Active Branches of PostgreSQL

(LiveHacking.Com) – New security updates for all active versions PostgreSQL, the object-relational database system, have been released by the PostgreSQL Global Development Group. The updates are available for versions 9.1.3, 9.0.7, 8.4.11 and 8.3.18.

The update fixes vulnerability in three areas:

  • Permissions on a function called by a trigger are not checked.
  • SSL certificate name checks are truncated to 32 characters, allowing connection spoofing under some circumstances.
  • Line breaks in object names can be exploited to execute code when loading a pg_dump file.

The first fix prevents users from defining triggers which execute functions for which the user does not have EXECUTE permission. The problem was that CREATE TRIGGER failed to make any permissions check on the trigger function to be called. If the trigger function was marked SECURITY DEFINER, privilege escalation becomes possible.

The SSL fix resolves a problem with SSL common name truncation, which could allow hijacking of an SSL connection under exceptional circumstances. Since the name extracted from an SSL certificate was incorrectly truncated to 32 characters it was theoretically possible to spoof the name on a false certificate.

The final security fix is to the pg_dump program. pg_dump copies object names into comments in a SQL script without sanitizing them by using an object name which includes a newline it is possible to add SQL commands to the dump script. When the dump script is reloaded, the command would be executed with the privileges of whoever is running the script.

Users of pg_dump, users of SSL certificates for validation or users of triggers using SECURITY DEFINER should upgrade their installations immediately.

This release also contains 45 fixes to version 9.1, and a smaller number of fixes to older versions, including:

  • Fix btree index corruption from insertions concurrent with vacuuming
  • Recover from errors occurring during WAL replay of DROP TABLESPACE
  • Fix transient zeroing of shared buffers during WAL replay
  • Fix postmaster to attempt restart after a hot-standby crash
  • Fix corner case in SSI transaction cleanup
  • Update per-column permissions, not only per-table permissions, when changing table owner
  • Fix handling of data-modifying WITH subplans in READ COMMITTED rechecking
  • Fix for “could not find plan for CTE” failures
  • Fix unsupported node type error caused by COLLATE in an INSERT expression
  • Avoid crashing when we have problems deleting table files post-commit
  • Fix recently-introduced memory leak in processing of inet/cidr
  • Fix GIN cost estimation to handle column IN (…) index conditions
  • Fix I/O-conversion-related memory leaks in plpgsql
  • Teach pg_upgrade to handle renaming of plpython’s shared library (affecting upgrades to 9.1)

More information about the updates, including a full list of fixes and changes, can be found in the and 8.3.18 release notes.

PostgreSQL can be downloaded from:

Exim, CouchDB and PostgreSQL All Updated To Close Security Holes

Three major open source server components have been updated to fix unrelated vulnerabilities. With Microsoft’s recent announcement of problems with the MHTML handler in all versions of Windows since XP, now it is the turn of some of the major open source projects to patch their software.

The Exim email server project has announced the release of Exim 4.74 which is primarily a security and bug fix release with the top security fix being for CVE-2011-0017. Errors in the open_log function in log.c in Exim 4.72 and earlier means the function does not check the return value from setuid or setgid system calls. This in turn could allow local users to append log data to arbitrary files via a symlink attack.

The NoSQL document-oriented database Apache CouchDB Project has released version 1.0.2 with over 30 changes and fixes. Amongst the bugs squashed are cross site scripting issues as detailed in CVE-2010-3854. Due to inadequate validation of request parameters and cookie data in Futon, CouchDB’s web-based administration UI, a malicious site can execute arbitrary code in the context of a user’s browsing session.

Apache are recommending that all users upgrade to V1.0.2. Upgrades from the 0.11.x and 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes

And another popular open source database has also been updated, this time PostgreSQL. The project has released security updates for all active branches of PostgreSQL including versions 9.0.3, 8.4.7, 8.3.14 and 8.2.20.

This security release tackles 63 bugs with the most important being a buffer overrun problem as described in CVE-2010-4015. This buffer overflow bug (present in all branches before 9.0.3, 8.4.7, 8.3.14, and 8.2.20) allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions.

Security updates for PostgreSQL

A flaw in all versions of PostgreSQL since 7.4 allows users to modify functions written in a procedural language such as Perl or Tcl at run-time. Corrected binaries and source code packages for PostgreSQL 9.0.1 became available at the project’s web site earlier today.

Read the full article here.