Executive Summary
Summary | |
---|---|
Title | New postgresql-8.3 packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-2051 | First vendor Publication | 2010-05-24 |
Vendor | Debian | Last vendor Modification | 2010-05-24 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 8.5 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1169 Tim Bunce discovered that the implementation of the procedural language PL/Perl insufficiently restricts the subset of allowed code, which allows authenticated users the execution of arbitrary Perl code. CVE-2010-1170 Tom Lane discovered that the implementation of the procedural language PL/Tcl insufficiently restricts the subset of allowed code, which allows authenticated users the execution of arbitrary Tcl code. CVE-2010-1975 It was discovered that an unprivileged user could reset superuser-only parameter settings. For the stable distribution (lenny), these problems have been fixed in version 8.3.11-0lenny1. This update also introduces a fix for CVE-2010-0442, which was originally scheduled for the next Lenny point update. For the unstable distribution (sid), these problems have been fixed in version 8.4.4-1 of postgresql-8.4. We recommend that you upgrade your postgresql-8.3 packages. |
Original Source
Url : http://www.debian.org/security/2010/dsa-2051 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
25 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
25 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13636 | |||
Oval ID: | oval:org.mitre.oval:def:13636 | ||
Title: | DSA-2051-1 postgresql-8.3 -- several | ||
Description: | Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1169 Tim Bunce discovered that the implementation of the procedural language PL/Perl insufficiently restricts the subset of allowed code, which allows authenticated users the execution of arbitrary Perl code. CVE-2010-1170 Tom Lane discovered that the implementation of the procedural language PL/Tcl insufficiently restricts the subset of allowed code, which allows authenticated users the execution of arbitrary Tcl code. CVE-2010-1975 It was discovered that an unprivileged user could reset superuser-only parameter settings. For the stable distribution, these problems have been fixed in version 8.3.11-0lenny1. This update also introduces a fix for CVE-2010-0442, which was originally scheduled for the next Lenny point update. For the unstable distribution, these problems have been fixed in version 8.4.4-1 of postgresql-8.4. We recommend that you upgrade your postgresql-8.3 packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2051-1 CVE-2010-0442 CVE-2010-1169 CVE-2010-1170 CVE-2010-1975 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | postgresql-8.3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21774 | |||
Oval ID: | oval:org.mitre.oval:def:21774 | ||
Title: | RHSA-2010:0429: postgresql security update (Moderate) | ||
Description: | PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0429-01 CESA-2010:0429 CVE-2009-4136 CVE-2010-0442 CVE-2010-0733 CVE-2010-1169 CVE-2010-1170 CVE-2010-1975 | Version: | 81 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | postgresql |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-02-12 | Name : Gentoo Security Advisory GLSA 201110-22 (postgresql-server postgresql-base) File : nvt/glsa_201110_22.nasl |
2011-08-09 | Name : CentOS Update for postgresql CESA-2010:0429 centos5 i386 File : nvt/gb_CESA-2010_0429_postgresql_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for postgresql84 CESA-2010:0430 centos5 i386 File : nvt/gb_CESA-2010_0430_postgresql84_centos5_i386.nasl |
2011-02-11 | Name : Fedora Update for postgresql FEDORA-2011-0963 File : nvt/gb_fedora_2011_0963_postgresql_fc13.nasl |
2010-12-02 | Name : Fedora Update for sepostgresql FEDORA-2010-15870 File : nvt/gb_fedora_2010_15870_sepostgresql_fc14.nasl |
2010-11-04 | Name : Fedora Update for sepostgresql FEDORA-2010-16004 File : nvt/gb_fedora_2010_16004_sepostgresql_fc13.nasl |
2010-10-22 | Name : Fedora Update for postgresql FEDORA-2010-15960 File : nvt/gb_fedora_2010_15960_postgresql_fc13.nasl |
2010-10-22 | Name : Fedora Update for postgresql FEDORA-2010-15954 File : nvt/gb_fedora_2010_15954_postgresql_fc12.nasl |
2010-06-03 | Name : Debian Security Advisory DSA 2051-1 (postgresql-8.3) File : nvt/deb_2051_1.nasl |
2010-05-28 | Name : RedHat Update for postgresql84 RHSA-2010:0430-01 File : nvt/gb_RHSA-2010_0430-01_postgresql84.nasl |
2010-05-28 | Name : RedHat Update for postgresql RHSA-2010:0429-01 File : nvt/gb_RHSA-2010_0429-01_postgresql.nasl |
2010-05-28 | Name : RedHat Update for postgresql RHSA-2010:0428-01 File : nvt/gb_RHSA-2010_0428-01_postgresql.nasl |
2010-05-28 | Name : RedHat Update for postgresql RHSA-2010:0427-01 File : nvt/gb_RHSA-2010_0427-01_postgresql.nasl |
2010-05-28 | Name : CentOS Update for postgresql CESA-2010:0428 centos4 i386 File : nvt/gb_CESA-2010_0428_postgresql_centos4_i386.nasl |
2010-05-28 | Name : Fedora Update for postgresql FEDORA-2010-8715 File : nvt/gb_fedora_2010_8715_postgresql_fc12.nasl |
2010-05-28 | Name : Fedora Update for postgresql FEDORA-2010-8723 File : nvt/gb_fedora_2010_8723_postgresql_fc11.nasl |
2010-05-28 | Name : CentOS Update for rh-postgresql CESA-2010:0427 centos3 i386 File : nvt/gb_CESA-2010_0427_rh-postgresql_centos3_i386.nasl |
2010-05-28 | Name : Mandriva Update for postgresql MDVSA-2010:103 (postgresql) File : nvt/gb_mandriva_MDVSA_2010_103.nasl |
2010-05-28 | Name : Ubuntu Update for PostgreSQL vulnerabilities USN-942-1 File : nvt/gb_ubuntu_USN_942_1.nasl |
2010-05-21 | Name : PostgreSQL 'RESET ALL' Unauthorized Access Vulnerability File : nvt/gb_postgresql_40304.nasl |
2010-05-19 | Name : PostgreSQL Multiple Security Vulnerabilities File : nvt/gb_postgresql_40215.nasl |
2010-04-30 | Name : Ubuntu Update for PostgreSQL vulnerability USN-933-1 File : nvt/gb_ubuntu_USN_933_1.nasl |
2010-03-30 | Name : FreeBSD Ports: postgresql-server File : nvt/freebsd_postgresql-server0.nasl |
2010-03-22 | Name : Mandriva Update for poppler MDVA-2010:103 (poppler) File : nvt/gb_mandriva_MDVA_2010_103.nasl |
2010-01-28 | Name : PostgreSQL 'bitsubstr' Buffer Overflow Vulnerability File : nvt/postgresql_37973.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
64792 | PostgreSQL RESET ALL Operation Privilege Check Weakness Arbitrary Parameter S... |
64757 | PostgreSQL PL / Tcl Implementation pltcl_modules Table Permission Weakness Ar... |
64755 | PostgreSQL Safe Module PL / perl Procedure Restriction Weakness Arbitrary Per... |
62129 | PostgreSQL backend/utils/adt/varbit.c bitsubstr Function Remote DoS |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2012-08-16 | IAVM : 2012-A-0136 - Multiple Vulnerabilities in Juniper Network Management Products Severity : Category I - VMSKEY : V0033662 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | PostgreSQL bit substring buffer overflow attempt RuleID : 16393 - Revision : 9 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-09-13 | Name : The remote host is affected by multiple vulnerabilities. File : juniper_nsm_2012_1.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0430.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0429.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0428.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0427.nasl - Type : ACT_GATHER_INFO |
2012-12-28 | Name : The remote database server is affected by multiple vulnerabilities. File : postgresql_20100517.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100519_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100519_postgresql_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-10-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-22.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-100525.nasl - Type : ACT_GATHER_INFO |
2010-10-29 | Name : The remote Fedora host is missing a security update. File : fedora_2010-15870.nasl - Type : ACT_GATHER_INFO |
2010-10-28 | Name : The remote Fedora host is missing a security update. File : fedora_2010-16004.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-7053.nasl - Type : ACT_GATHER_INFO |
2010-07-14 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_postgresql-100525.nasl - Type : ACT_GATHER_INFO |
2010-07-14 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_postgresql-100525.nasl - Type : ACT_GATHER_INFO |
2010-07-14 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_postgresql-100525.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-8715.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-8723.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-8696.nasl - Type : ACT_GATHER_INFO |
2010-06-01 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0430.nasl - Type : ACT_GATHER_INFO |
2010-06-01 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0429.nasl - Type : ACT_GATHER_INFO |
2010-05-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2051.nasl - Type : ACT_GATHER_INFO |
2010-05-24 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0427.nasl - Type : ACT_GATHER_INFO |
2010-05-24 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-942-1.nasl - Type : ACT_GATHER_INFO |
2010-05-24 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0428.nasl - Type : ACT_GATHER_INFO |
2010-05-21 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-103.nasl - Type : ACT_GATHER_INFO |
2010-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0430.nasl - Type : ACT_GATHER_INFO |
2010-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0429.nasl - Type : ACT_GATHER_INFO |
2010-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0428.nasl - Type : ACT_GATHER_INFO |
2010-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0427.nasl - Type : ACT_GATHER_INFO |
2010-04-29 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-933-1.nasl - Type : ACT_GATHER_INFO |
2010-03-26 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e050119b385611dfb2b2002170daae37.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:29:27 |
|