Ubuntu Security Notice 3476-2 - USN-3476-1 fixed two vulnerabilities in postgresql-common. This update provides the corresponding update for Ubuntu 12.04 ESM. Dawid Golunski discovered that the postgresql-common pg_ctlcluster script incorrectly handled symlinks. A local attacker could possibly use this issue to escalate privileges. Various other issues were also addressed.
334649fe863d6da15bfb22775417958a6004976a01d7fb36d76466fbe9a48233
==========================================================================
Ubuntu Security Notice USN-3476-2
November 27, 2017
postgresql-common vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
postgresql-common could be made to overwrite files as the
administrator.
Software Description:
- postgresql-common: PostgreSQL database-cluster manager
Details:
USN-3476-1 fixed two vulnerabilities in postgresql-common. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Dawid Golunski discovered that the postgresql-common pg_ctlcluster
script incorrectly handled symlinks. A local attacker could possibly
use this issue to escalate privileges. (CVE-2016-1255)
It was discovered that the postgresql-common helper scripts
incorrectly handled symlinks. A local attacker could possibly use this
issue to escalate privileges. (CVE-2017-8806)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
postgresql-common 129ubuntu1.2
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3476-2
https://www.ubuntu.com/usn/usn-3476-1
CVE-2016-1255, CVE-2017-8806