COMMUNICATION CONTENT
August 01, 2008
Dear Valued Ingres Customer:
Information security is of utmost priority to Ingres. A number of vulnerabilities have recently been identified in Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6. We have given these vulnerabilities a security threat level of "High" and recommend that the available security patches be applied immediately.
Fixes are available for the current release of Ingres 2006 release 2 (9.1.0), for Ingres 2006 release 1 (9.0.4), and for Ingres 2.6 versions on their respective platforms. The security fixes are available and can be quickly applied with little to no anticipated impact to systems.
Ingres customers with a current support contract can review the following knowledge base document for information on downloading the available fixes: View in Ingres Service Desk.
We would like to additionally thank iDefense Labs for bringing the following vulnerabilities to our attention.
Ingres verifydb file create permission override - bug 118877
Description: An unauthenticated attacker can potentially set a user and/or group ownership of a verifydb log file to be Ingres allowing read/write permissions to both. This vulnerability impacts all platforms except VMS and Windows - CVE-2008-3356.
Ingres un-secure directory privileges with utility ingvalidpw - bug 118879
Description: An unauthenticated attacker can exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server. This vulnerability impacts only Linux and HP platforms - CVE - 2008-3357.
Ingres verifydb, iimerge, csreport buffer overflow - bug 118879
Description: An unauthenticated attacker can obtain ingres user privileges and combined with the unsecured directory privileges vulnerability (CVE-2008-3357) causes root privileges to be obtained. This vulnerability impacts only Linux and HP platforms - CVE-2008-3389.
For more information about Ingres security alerts and to register to proactively receive these alerts via email please register at: http://www.ingres.com/support/security-announcements.php.
Regards,
Bill Maimone
Senior Vice President, Engineering
Ingres Corporation
Pamela Fowler
VP of WW Support
Ingres Corporation
