exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2013-142

Mandriva Linux Security Advisory 2013-142
Posted Apr 12, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-142 - Multiple vulnerabilities has been discovered and corrected in PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read. Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service , and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a - (hyphen). PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the contrib/pgcrypto functions. PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the pg_start_backup or pg_stop_backup functions. This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.

tags | advisory, remote, denial of service, arbitrary, vulnerability
systems | linux, mandriva
advisories | CVE-2013-0255, CVE-2013-1899, CVE-2013-1900, CVE-2013-1901
SHA-256 | 97ef8bcb916420d4415444226f145e62867a5c2ca8b49fbfaeb4914d3e2495a2

Mandriva Linux Security Advisory 2013-142

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:142
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : postgresql
Date : April 11, 2013
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in
postgresql:

PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12,
8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare
the enum_recv function in backend/utils/adt/enum.c, which causes it to
be invoked with incorrect arguments and allows remote authenticated
users to cause a denial of service (server crash) or read sensitive
process memory via a crafted SQL command, which triggers an array
index error and an out-of-bounds read (CVE-2013-0255).

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4,
9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers
to cause a denial of service (file corruption), and allows remote
authenticated users to modify configuration settings and execute
arbitrary code, via a connection request using a database name that
begins with a - (hyphen) (CVE-2013-1899).

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13,
and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently
random numbers, which might allow remote authenticated users to have
an unspecified impact via vectors related to the contrib/pgcrypto
functions. (CVE-2013-1900).

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly
check REPLICATION privileges, which allows remote authenticated
users to bypass intended backup restrictions by calling the (1)
pg_start_backup or (2) pg_stop_backup functions (CVE-2013-1901).

This advisory provides the latest versions of PostgreSQL that is not
vulnerable to these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901
http://www.postgresql.org/docs/9.2/static/release-9-2-3.html
http://www.postgresql.org/docs/9.2/static/release-9-2-4.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
90f16928761e6730bbf5c02ce879bd1b mbs1/x86_64/lib64ecpg9.2_6-9.2.4-1.mbs1.x86_64.rpm
91aa3b3566460984204bf54ce20e5a5f mbs1/x86_64/lib64pq9.2_5-9.2.4-1.mbs1.x86_64.rpm
012638a43606dec11a6094e35ba450a2 mbs1/x86_64/postgresql9.2-9.2.4-1.mbs1.x86_64.rpm
9350db850f0b2caaf845c85b32877a54 mbs1/x86_64/postgresql9.2-contrib-9.2.4-1.mbs1.x86_64.rpm
27c4fd997b7504896051b7a980484a21 mbs1/x86_64/postgresql9.2-devel-9.2.4-1.mbs1.x86_64.rpm
887f692d637c7c35ead32f83c2ee9710 mbs1/x86_64/postgresql9.2-docs-9.2.4-1.mbs1.noarch.rpm
5384bf37605ada4badd44882f2bc8315 mbs1/x86_64/postgresql9.2-pl-9.2.4-1.mbs1.x86_64.rpm
fc4a79372edfc428ef94221e3240f24c mbs1/x86_64/postgresql9.2-plperl-9.2.4-1.mbs1.x86_64.rpm
f2da635c2af4c8c10145e5657d1bcbad mbs1/x86_64/postgresql9.2-plpgsql-9.2.4-1.mbs1.x86_64.rpm
29e26bce0c2ff533981a075af8b2d5b1 mbs1/x86_64/postgresql9.2-plpython-9.2.4-1.mbs1.x86_64.rpm
fcb4ae81ef6e32d80432df14291c91fc mbs1/x86_64/postgresql9.2-pltcl-9.2.4-1.mbs1.x86_64.rpm
64f6ac8a41d4b1b88c182c74ddfb48b5 mbs1/x86_64/postgresql9.2-server-9.2.4-1.mbs1.x86_64.rpm
77f2a88d1d097ccc89e63afa6cb11a96 mbs1/SRPMS/postgresql9.2-9.2.4-1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRZr3nmqjQ0CJFipgRAuUJAJ9FzULhMZXHG5ZfRfeG3QOIK3g7BACeOeVj
+OBgWtjawEtXbTc9pnB/v8o=
=i4rt
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close