Ubuntu Security Notice 1789-1 - Mitsumasa Kondo and Kyotaro Horiguchi discovered that PostgreSQL incorrectly handled certain connection requests containing database names starting with a dash. A remote attacker could use this flaw to damage or destroy files within a server's data directory. This issue only applied to Ubuntu 11.10, Ubuntu 12.04 LTS, and Ubuntu 12.10. Marko Kreen discovered that PostgreSQL incorrectly generated random numbers. An authenticated attacker could use this flaw to possibly guess another database user's random numbers. Various other issues were also addressed.
3d54aa2573b486a74e8e765aa5c214a84ca4b6d865a5fa2f6fb3b3ebae1f2343
============================================================================
Ubuntu Security Notice USN-1789-1
April 04, 2013
postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-9.1: Object-relational SQL database
- postgresql-8.4: Object-relational SQL database
- postgresql-8.3: Object-relational SQL database
Details:
Mitsumasa Kondo and Kyotaro Horiguchi discovered that PostgreSQL
incorrectly handled certain connection requests containing database names
starting with a dash. A remote attacker could use this flaw to damage or
destroy files within a server's data directory. This issue only applied to
Ubuntu 11.10, Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-1899)
Marko Kreen discovered that PostgreSQL incorrectly generated random
numbers. An authenticated attacker could use this flaw to possibly guess
another database user's random numbers. (CVE-2013-1900)
Noah Misch discovered that PostgreSQL incorrectly handled certain privilege
checks. An unprivileged attacker could use this flaw to possibly interfere
with in-progress backups. This issue only applied to Ubuntu 11.10,
Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-1901)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
postgresql-9.1 9.1.9-0ubuntu12.10
Ubuntu 12.04 LTS:
postgresql-9.1 9.1.9-0ubuntu12.04
Ubuntu 11.10:
postgresql-9.1 9.1.9-0ubuntu11.10
Ubuntu 10.04 LTS:
postgresql-8.4 8.4.17-0ubuntu10.04
Ubuntu 8.04 LTS:
postgresql-8.3 8.3.23-0ubuntu8.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-1789-1
CVE-2013-1899, CVE-2013-1900, CVE-2013-1901
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.9-0ubuntu12.10
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.9-0ubuntu12.04
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.9-0ubuntu11.10
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.17-0ubuntu10.04
https://launchpad.net/ubuntu/+source/postgresql-8.3/8.3.23-0ubuntu8.04.1