Referenced CVEs:
CVE-2009-4034, CVE-2009-4136
Description:
===========================================================Ubuntu Security Notice USN-876-1 January 03, 2010postgresql-8.1, postgresql-8.3, postgresql-8.4 vulnerabilitiesCVE-2009-4034, CVE-2009-4136===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 8.04 LTSUbuntu 8.10Ubuntu 9.04Ubuntu 9.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: postgresql-8.1 8.1.19-0ubuntu0.6.06Ubuntu 8.04 LTS: postgresql-8.3 8.3.9-0ubuntu8.04Ubuntu 8.10: postgresql-8.3 8.3.9-0ubuntu8.10Ubuntu 9.04: postgresql-8.3 8.3.9-0ubuntu9.04Ubuntu 9.10: postgresql-8.4 8.4.2-0ubuntu9.10In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:It was discovered that PostgreSQL did not properly handle certificates withNULL characters in the Common Name field of X.509 certificates. An attackercould exploit this to perform a man in the middle attack to view sensitiveinformation or alter encrypted communications. (CVE-2009-4034)It was discovered that PostgreSQL did not properly manage session-localstate. A remote authenticated user could exploit this to escalatepriviliges within PostgreSQL. (CVE-2009-4136)
More...
