Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title PostgreSQL: Multiple vulnerabilities
Informations
Name GLSA-201209-24 First vendor Publication 2012-09-28
Vendor Gentoo Last vendor Modification 2012-09-28
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in PostgreSQL which may allow a remote attacker to conduct several attacks.

Background

PostgreSQL is an open source object-relational database management system.

Description

Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could spoof SSL connections. Furthermore, a remote authenticated attacker could cause a Denial of Service, read and write arbitrary files, inject SQL commands into dump scripts, or bypass database restrictions to execute database functions.

A context-dependent attacker could more easily obtain access via authentication attempts with an initial substring of the intended password.

Workaround

There is no known workaround at this time.

Resolution

All PostgreSQL 9.1 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.1.5"

All PostgreSQL 9.0 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.0.9"

All PostgreSQL 8.4 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.4.13"

All PostgreSQL 8.3 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-db/postgresql-server-8.3.20"

References

[ 1 ] CVE-2012-0866 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0866
[ 2 ] CVE-2012-0867 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0867
[ 3 ] CVE-2012-0868 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0868
[ 4 ] CVE-2012-2143 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143
[ 5 ] CVE-2012-2655 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2655
[ 6 ] CVE-2012-3488 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3488
[ 7 ] CVE-2012-3489 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3489

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201209-24.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201209-24.xml

CWE : Common Weakness Enumeration

% Id Name
25 % CWE-264 Permissions, Privileges, and Access Controls
12 % CWE-611 Information Leak Through XML External Entity File Disclosure
12 % CWE-399 Resource Management Errors
12 % CWE-310 Cryptographic Issues
12 % CWE-295 Certificate Issues
12 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
12 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15024
 
Oval ID: oval:org.mitre.oval:def:15024
Title: DSA-2418-1 postgresql-8.4 -- several
Description: Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-0866 It was discovered that the permissions of a function called by a trigger are not checked. This could result in privilege escalation. CVE-2012-0867 It was discovered that only the first 32 characters of a host name are checked when validating host names through SSL certificates. This could result in spoofing the connection in limited circumstances. CVE-2012-0868 It was discovered that pg_dump did not sanitise object names. This could result in arbitrary SQL command execution if a malformed dump file is opened.
Family: unix Class: patch
Reference(s): DSA-2418-1
CVE-2012-0866
CVE-2012-0867
CVE-2012-0868
 Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): postgresql-8.4
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15167
 
Oval ID: oval:org.mitre.oval:def:15167
Title: USN-1378-1 -- PostgreSQL vulnerabilities
Description: postgresql-9.1: Object-relational SQL database - postgresql-8.4: Object-relational SQL database - postgresql-8.3: Object-relational SQL database Several security issues were fixed in PostgreSQL.
Family: unix Class: patch
Reference(s): USN-1378-1
CVE-2012-0866
CVE-2012-0867
CVE-2012-0868
 Version: 5
Platform(s): Ubuntu 11.04
Ubuntu 11.10
Ubuntu 8.04
Ubuntu 10.04
Ubuntu 10.10
 Product(s): PostgreSQL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17690
 
Oval ID: oval:org.mitre.oval:def:17690
Title: USN-1461-1 -- postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities
Description: PostgreSQL could be made to crash or incorrectly handle authentication.
Family: unix Class: patch
Reference(s): USN-1461-1
CVE-2012-2143
CVE-2012-2655
 Version: 7
Platform(s): Ubuntu 12.04
Ubuntu 11.10
Ubuntu 11.04
Ubuntu 10.04
Ubuntu 8.04
 Product(s): postgresql-9.1
postgresql-8.4
postgresql-8.3
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17821
 
Oval ID: oval:org.mitre.oval:def:17821
Title: USN-1542-1 -- postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities
Description: PostgreSQL could allow unintended access to files over the network when using the XML2 extension.
Family: unix Class: patch
Reference(s): USN-1542-1
CVE-2012-3488
CVE-2012-3489
 Version: 7
Platform(s): Ubuntu 12.04
Ubuntu 11.10
Ubuntu 11.04
Ubuntu 10.04
Ubuntu 8.04
 Product(s): postgresql-9.1
postgresql-8.4
postgresql-8.3
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18474
 
Oval ID: oval:org.mitre.oval:def:18474
Title: DSA-2534-1 postgresql-8.4 - several
Description: Two vulnerabilities related to XML processing were discovered in PostgreSQL, an SQL database.
Family: unix Class: patch
Reference(s): DSA-2534-1
CVE-2012-3488
CVE-2012-3489
 Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): postgresql-8.4
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18544
 
Oval ID: oval:org.mitre.oval:def:18544
Title: DSA-2491-1 postgresql-8.4 - several
Description: Two vulnerabilities were discovered in PostgreSQL, an SQL database server.
Family: unix Class: patch
Reference(s): DSA-2491-1
CVE-2012-2143
CVE-2012-2655
 Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): postgresql-8.4
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21339
 
Oval ID: oval:org.mitre.oval:def:21339
Title: RHSA-2012:0678: postgresql and postgresql84 security update (Moderate)
Description: CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
Family: unix Class: patch
Reference(s): RHSA-2012:0678-01
CESA-2012:0678
CVE-2012-0866
CVE-2012-0867
CVE-2012-0868
 Version: 42
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21356
 
Oval ID: oval:org.mitre.oval:def:21356
Title: RHSA-2012:1263: postgresql and postgresql84 security update (Moderate)
Description: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): RHSA-2012:1263-01
CESA-2012:1263
CVE-2012-3488
CVE-2012-3489
 Version: 29
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21377
 
Oval ID: oval:org.mitre.oval:def:21377
Title: RHSA-2012:1036: postgresql security update (Moderate)
Description: The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
Family: unix Class: patch
Reference(s): RHSA-2012:1036-00
CESA-2012:1036
CVE-2012-2143
 Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21471
 
Oval ID: oval:org.mitre.oval:def:21471
Title: RHSA-2012:0677: postgresql security update (Moderate)
Description: CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
Family: unix Class: patch
Reference(s): RHSA-2012:0677-00
CESA-2012:0677
CVE-2012-0866
CVE-2012-0868
 Version: 29
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21547
 
Oval ID: oval:org.mitre.oval:def:21547
Title: RHSA-2012:1264: postgresql security update (Moderate)
Description: The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): RHSA-2012:1264-00
CESA-2012:1264
CVE-2012-3488
 Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21572
 
Oval ID: oval:org.mitre.oval:def:21572
Title: RHSA-2012:1037: postgresql and postgresql84 security update (Moderate)
Description: PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.
Family: unix Class: patch
Reference(s): RHSA-2012:1037-01
CESA-2012:1037
CVE-2012-2143
CVE-2012-2655
 Version: 29
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23044
 
Oval ID: oval:org.mitre.oval:def:23044
Title: ELSA-2012:1036: postgresql security update (Moderate)
Description: The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
Family: unix Class: patch
Reference(s): ELSA-2012:1036-00
CVE-2012-2143
 Version: 6
Platform(s): Oracle Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23197
 
Oval ID: oval:org.mitre.oval:def:23197
Title: ELSA-2012:1264: postgresql security update (Moderate)
Description: The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): ELSA-2012:1264-00
CVE-2012-3488
 Version: 6
Platform(s): Oracle Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23252
 
Oval ID: oval:org.mitre.oval:def:23252
Title: DEPRECATED: ELSA-2012:0678: postgresql and postgresql84 security update (Moderate)
Description: CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
Family: unix Class: patch
Reference(s): ELSA-2012:0678-01
CVE-2012-0866
CVE-2012-0867
CVE-2012-0868
 Version: 18
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23300
 
Oval ID: oval:org.mitre.oval:def:23300
Title: DEPRECATED: ELSA-2012:1037: postgresql and postgresql84 security update (Moderate)
Description: PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.
Family: unix Class: patch
Reference(s): ELSA-2012:1037-01
CVE-2012-2143
CVE-2012-2655
 Version: 14
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23390
 
Oval ID: oval:org.mitre.oval:def:23390
Title: DEPRECATED: ELSA-2012:1263: postgresql and postgresql84 security update (Moderate)
Description: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): ELSA-2012:1263-01
CVE-2012-3488
CVE-2012-3489
 Version: 14
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23418
 
Oval ID: oval:org.mitre.oval:def:23418
Title: ELSA-2012:0677: postgresql security update (Moderate)
Description: CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
Family: unix Class: patch
Reference(s): ELSA-2012:0677-00
CVE-2012-0866
CVE-2012-0868
 Version: 13
Platform(s): Oracle Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23579
 
Oval ID: oval:org.mitre.oval:def:23579
Title: ELSA-2012:1263: postgresql and postgresql84 security update (Moderate)
Description: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): ELSA-2012:1263-01
CVE-2012-3488
CVE-2012-3489
 Version: 13
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23770
 
Oval ID: oval:org.mitre.oval:def:23770
Title: ELSA-2012:0678: postgresql and postgresql84 security update (Moderate)
Description: CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
Family: unix Class: patch
Reference(s): ELSA-2012:0678-01
CVE-2012-0866
CVE-2012-0867
CVE-2012-0868
 Version: 17
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23841
 
Oval ID: oval:org.mitre.oval:def:23841
Title: ELSA-2012:1037: postgresql and postgresql84 security update (Moderate)
Description: PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.
Family: unix Class: patch
Reference(s): ELSA-2012:1037-01
CVE-2012-2143
CVE-2012-2655
 Version: 13
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27122
 
Oval ID: oval:org.mitre.oval:def:27122
Title: DEPRECATED: ELSA-2012-1036 -- postgresql security update (moderate)
Description: [8.1.23-5] - Back-port upstream fix for CVE-2012-2143 Resolves: #830721
Family: unix Class: patch
Reference(s): ELSA-2012-1036
CVE-2012-2143
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27283
 
Oval ID: oval:org.mitre.oval:def:27283
Title: DEPRECATED: ELSA-2012-1264 -- postgresql security update (moderate)
Description: [8.1.23-6] - Back-port upstream fix for CVE-2012-3488 Resolves: #852015
Family: unix Class: patch
Reference(s): ELSA-2012-1264
CVE-2012-3488
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27718
 
Oval ID: oval:org.mitre.oval:def:27718
Title: DEPRECATED: ELSA-2012-1037 -- postgresql and postgresql84 security update (moderate)
Description: [8.4.12-1] - Update to PostgreSQL 8.4.12, for various fixes described at http://www.postgresql.org/docs/8.4/static/release-8-4-12.html including the fixes for CVE-2012-2143, CVE-2012-2655 Resolves: #830723 [8.4.11-2] - Add patches for CVE-2012-2143, CVE-2012-2655 Resolves: #830723 [8.4.11-1] - Update to PostgreSQL 8.4.11, for various fixes described at http://www.postgresql.org/docs/8.4/static/release-8-4-11.html http://www.postgresql.org/docs/8.4/static/release-8-4-10.html including the fixes for CVE-2012-0866, CVE-2012-0867, CVE-2012-0868 Resolves: #812077
Family: unix Class: patch
Reference(s): ELSA-2012-1037
CVE-2012-2143
CVE-2012-2655
 Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27787
 
Oval ID: oval:org.mitre.oval:def:27787
Title: DEPRECATED: ELSA-2012-1263 -- postgresql and postgresql84 security update (moderate)
Description: [8.4.13-1] - Update to PostgreSQL 8.4.13, for various fixes described at http://www.postgresql.org/docs/8.4/static/release-8-4-13.html including the fixes for CVE-2012-3488, CVE-2012-3489 Resolves: #852020
Family: unix Class: patch
Reference(s): ELSA-2012-1263
CVE-2012-3488
CVE-2012-3489
 Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27807
 
Oval ID: oval:org.mitre.oval:def:27807
Title: DEPRECATED: ELSA-2012-0678 -- postgresql and postgresql84 security update (moderate)
Description: [8.4.11-1] - Update to PostgreSQL 8.4.11, for various fixes described at http://www.postgresql.org/docs/8.4/static/release-8-4-11.html http://www.postgresql.org/docs/8.4/static/release-8-4-10.html including the fixes for CVE-2012-0866, CVE-2012-0867, CVE-2012-0868 Resolves: #812081
Family: unix Class: patch
Reference(s): ELSA-2012-0678
CVE-2012-0867
CVE-2012-0866
CVE-2012-0868
 Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27850
 
Oval ID: oval:org.mitre.oval:def:27850
Title: DEPRECATED: ELSA-2012-0677 -- postgresql security update (moderate)
Description: [8.1.23-4] - Back-port upstream fixes for CVE-2012-0866 and CVE-2012-0868 Resolves: #812070 [8.1.23-3] - Back-port upstream fix for unregistering OpenSSL callbacks at close Resolves: #728828 [8.1.23-2] - Back-port upstream fix for CVE-2011-2483 Resolves: #740738
Family: unix Class: patch
Reference(s): ELSA-2012-0677
CVE-2012-0866
CVE-2012-0868
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): postgresql
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 441
Application 260
Os 80
Os 5
Os 1
Os 289
Os 3
Os 1
Os 1
Os 1
Os 2
Os 1
Os 1
Os 2
Os 1
Os 1
Os 2

OpenVAS Exploits

Date Description
2013-09-18 Name : Debian Security Advisory DSA 2534-1 (postgresql-8.4 - several vulnerabilities)
File : nvt/deb_2534_1.nasl
2012-10-03 Name : Gentoo Security Advisory GLSA 201209-24 (PostgreSQL)
File : nvt/glsa_201209_24.nasl
2012-09-26 Name : Gentoo Security Advisory GLSA 201209-03 (php)
File : nvt/glsa_201209_03.nasl
2012-09-25 Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2012-004)
File : nvt/gb_macosx_su12-004.nasl
2012-09-17 Name : RedHat Update for postgresql RHSA-2012:1264-01
File : nvt/gb_RHSA-2012_1264-01_postgresql.nasl
2012-09-17 Name : RedHat Update for postgresql and postgresql84 RHSA-2012:1263-01
File : nvt/gb_RHSA-2012_1263-01_postgresql_and_postgresql84.nasl
2012-09-17 Name : CentOS Update for postgresql CESA-2012:1264 centos5
File : nvt/gb_CESA-2012_1264_postgresql_centos5.nasl
2012-09-17 Name : CentOS Update for postgresql84 CESA-2012:1263 centos5
File : nvt/gb_CESA-2012_1263_postgresql84_centos5.nasl
2012-09-17 Name : CentOS Update for postgresql CESA-2012:1263 centos6
File : nvt/gb_CESA-2012_1263_postgresql_centos6.nasl
2012-08-30 Name : Fedora Update for php FEDORA-2012-10936
File : nvt/gb_fedora_2012_10936_php_fc17.nasl
2012-08-30 Name : Fedora Update for php FEDORA-2012-9490
File : nvt/gb_fedora_2012_9490_php_fc17.nasl
2012-08-30 Name : Fedora Update for maniadrive FEDORA-2012-9490
File : nvt/gb_fedora_2012_9490_maniadrive_fc17.nasl
2012-08-30 Name : Fedora Update for postgresql FEDORA-2012-8924
File : nvt/gb_fedora_2012_8924_postgresql_fc17.nasl
2012-08-30 Name : Fedora Update for postgresql FEDORA-2012-2508
File : nvt/gb_fedora_2012_2508_postgresql_fc17.nasl
2012-08-30 Name : Fedora Update for postgresql FEDORA-2012-12165
File : nvt/gb_fedora_2012_12165_postgresql_fc17.nasl
2012-08-30 Name : Fedora Update for postgresql FEDORA-2012-12156
File : nvt/gb_fedora_2012_12156_postgresql_fc16.nasl
2012-08-30 Name : FreeBSD Ports: postgresql-server
File : nvt/freebsd_postgresql-server2.nasl
2012-08-21 Name : Ubuntu Update for postgresql-9.1 USN-1542-1
File : nvt/gb_ubuntu_USN_1542_1.nasl
2012-08-21 Name : Mandriva Update for postgresql MDVSA-2012:139 (postgresql)
File : nvt/gb_mandriva_MDVSA_2012_139.nasl
2012-08-10 Name : Debian Security Advisory DSA 2491-1 (postgresql-8.4)
File : nvt/deb_2491_1.nasl
2012-08-10 Name : FreeBSD Ports: FreeBSD
File : nvt/freebsd_FreeBSD18.nasl
2012-08-06 Name : Fedora Update for php FEDORA-2012-10908
File : nvt/gb_fedora_2012_10908_php_fc16.nasl
2012-08-03 Name : Mandriva Update for php MDVSA-2012:093 (php)
File : nvt/gb_mandriva_MDVSA_2012_093.nasl
2012-08-03 Name : Mandriva Update for postgresql MDVSA-2012:092 (postgresql)
File : nvt/gb_mandriva_MDVSA_2012_092.nasl
2012-07-30 Name : CentOS Update for postgresql84 CESA-2012:0678 centos5
File : nvt/gb_CESA-2012_0678_postgresql84_centos5.nasl
2012-07-30 Name : CentOS Update for postgresql CESA-2012:0677 centos5
File : nvt/gb_CESA-2012_0677_postgresql_centos5.nasl
2012-07-30 Name : CentOS Update for php53 CESA-2012:1047 centos5
File : nvt/gb_CESA-2012_1047_php53_centos5.nasl
2012-07-30 Name : CentOS Update for postgresql CESA-2012:0678 centos6
File : nvt/gb_CESA-2012_0678_postgresql_centos6.nasl
2012-07-30 Name : CentOS Update for postgresql84 CESA-2012:1037 centos5
File : nvt/gb_CESA-2012_1037_postgresql84_centos5.nasl
2012-07-30 Name : CentOS Update for postgresql CESA-2012:1037 centos6
File : nvt/gb_CESA-2012_1037_postgresql_centos6.nasl
2012-07-30 Name : CentOS Update for php CESA-2012:1046 centos6
File : nvt/gb_CESA-2012_1046_php_centos6.nasl
2012-07-30 Name : CentOS Update for postgresql CESA-2012:1036 centos5
File : nvt/gb_CESA-2012_1036_postgresql_centos5.nasl
2012-07-03 Name : Fedora Update for maniadrive FEDORA-2012-9762
File : nvt/gb_fedora_2012_9762_maniadrive_fc16.nasl
2012-07-03 Name : Fedora Update for php-eaccelerator FEDORA-2012-9762
File : nvt/gb_fedora_2012_9762_php-eaccelerator_fc16.nasl
2012-07-03 Name : Fedora Update for php FEDORA-2012-9762
File : nvt/gb_fedora_2012_9762_php_fc16.nasl
2012-06-28 Name : RedHat Update for postgresql RHSA-2012:1036-01
File : nvt/gb_RHSA-2012_1036-01_postgresql.nasl
2012-06-28 Name : RedHat Update for postgresql and postgresql84 RHSA-2012:1037-01
File : nvt/gb_RHSA-2012_1037-01_postgresql_and_postgresql84.nasl
2012-06-28 Name : RedHat Update for php RHSA-2012:1046-01
File : nvt/gb_RHSA-2012_1046-01_php.nasl
2012-06-28 Name : RedHat Update for php53 RHSA-2012:1047-01
File : nvt/gb_RHSA-2012_1047-01_php53.nasl
2012-06-22 Name : Ubuntu Update for php5 USN-1481-1
File : nvt/gb_ubuntu_USN_1481_1.nasl
2012-06-19 Name : Fedora Update for postgresql FEDORA-2012-8893
File : nvt/gb_fedora_2012_8893_postgresql_fc16.nasl
2012-06-19 Name : Fedora Update for postgresql FEDORA-2012-8915
File : nvt/gb_fedora_2012_8915_postgresql_fc15.nasl
2012-06-08 Name : Ubuntu Update for postgresql-9.1 USN-1461-1
File : nvt/gb_ubuntu_USN_1461_1.nasl
2012-05-31 Name : FreeBSD Ports: postgresql-server
File : nvt/freebsd_postgresql-server1.nasl
2012-05-22 Name : RedHat Update for postgresql and postgresql84 RHSA-2012:0678-01
File : nvt/gb_RHSA-2012_0678-01_postgresql_and_postgresql84.nasl
2012-05-22 Name : RedHat Update for postgresql RHSA-2012:0677-01
File : nvt/gb_RHSA-2012_0677-01_postgresql.nasl
2012-04-02 Name : Fedora Update for postgresql FEDORA-2012-2591
File : nvt/gb_fedora_2012_2591_postgresql_fc16.nasl
2012-03-12 Name : Debian Security Advisory DSA 2418-1 (postgresql-8.4)
File : nvt/deb_2418_1.nasl
2012-03-12 Name : FreeBSD Ports: postgresql-client
File : nvt/freebsd_postgresql-client0.nasl
2012-03-09 Name : Fedora Update for postgresql FEDORA-2012-2589
File : nvt/gb_fedora_2012_2589_postgresql_fc15.nasl
2012-03-07 Name : Mandriva Update for postgresql8.3 MDVSA-2012:027 (postgresql8.3)
File : nvt/gb_mandriva_MDVSA_2012_027.nasl
2012-03-07 Name : Mandriva Update for postgresql MDVSA-2012:026 (postgresql)
File : nvt/gb_mandriva_MDVSA_2012_026.nasl
2012-03-07 Name : Ubuntu Update for postgresql-9.1 USN-1378-1
File : nvt/gb_ubuntu_USN_1378_1.nasl

Snort® IPS/IDS

Date Description
2014-01-10 PHP truncated crypt function attempt
RuleID : 23896 - Revision : 4 - Type : SERVER-WEBAPP
2014-01-10 PHP truncated crypt function attempt
RuleID : 23895 - Revision : 5 - Type : SERVER-WEBAPP
2014-01-10 truncated crypt function attempt
RuleID : 23894 - Revision : 7 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2012-1336-1.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-675.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-667.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-650.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-603.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-365.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-214.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-129.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-121.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-82.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-91.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-94.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-95.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1263.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1264.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1047.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1046.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1037.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1036.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-0678.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-0677.nasl - Type : ACT_GATHER_INFO
2013-06-29 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1047.nasl - Type : ACT_GATHER_INFO
2013-03-15 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2013-001.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_postgresql-120322.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_postgresql-120820.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_apache2-mod_php53-120618.nasl - Type : ACT_GATHER_INFO
2012-12-28 Name : The remote database server is affected by multiple vulnerabilities.
File : postgresql_8318.nasl - Type : ACT_GATHER_INFO
2012-12-28 Name : The remote database server is affected by multiple vulnerabilities.
File : postgresql_20120817.nasl - Type : ACT_GATHER_INFO
2012-12-28 Name : The remote database server is affected by multiple vulnerabilities.
File : postgresql_20120604.nasl - Type : ACT_GATHER_INFO
2012-12-28 Name : The remote database server is affected by multiple vulnerabilities.
File : postgresql_20120227.nasl - Type : ACT_GATHER_INFO
2012-11-02 Name : The remote host is missing an update for OS X Server that fixes several secur...
File : macosx_server_2_1_1.nasl - Type : ACT_GATHER_INFO
2012-10-15 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_postgresql-8311.nasl - Type : ACT_GATHER_INFO
2012-09-29 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201209-24.nasl - Type : ACT_GATHER_INFO
2012-09-24 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201209-03.nasl - Type : ACT_GATHER_INFO
2012-09-20 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_8_2.nasl - Type : ACT_GATHER_INFO
2012-09-20 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_SecUpd2012-004.nasl - Type : ACT_GATHER_INFO
2012-09-20 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_10_7_5.nasl - Type : ACT_GATHER_INFO
2012-09-15 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120913_postgresql_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-09-15 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120913_postgresql_and_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1264.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1263.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1263.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1264.nasl - Type : ACT_GATHER_INFO
2012-09-06 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2012-139.nasl - Type : ACT_GATHER_INFO
2012-08-27 Name : The remote Fedora host is missing a security update.
File : fedora_2012-12165.nasl - Type : ACT_GATHER_INFO
2012-08-27 Name : The remote Fedora host is missing a security update.
File : fedora_2012-12156.nasl - Type : ACT_GATHER_INFO
2012-08-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2534.nasl - Type : ACT_GATHER_INFO
2012-08-21 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1542-1.nasl - Type : ACT_GATHER_INFO
2012-08-20 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_07234e78e89911e1b38d0023ae8e59f0.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120627_php_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120627_php53_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120625_postgresql_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120625_postgresql_and_postgresql84_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120625_postgresql_and_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120521_postgresql_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120521_postgresql_and_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-07-11 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1046.nasl - Type : ACT_GATHER_INFO
2012-07-03 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2012-9762.nasl - Type : ACT_GATHER_INFO
2012-07-01 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2012-9490.nasl - Type : ACT_GATHER_INFO
2012-06-29 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2491.nasl - Type : ACT_GATHER_INFO
2012-06-28 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_185ff22ec06611e1b5e0000c299b62e1.nasl - Type : ACT_GATHER_INFO
2012-06-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1046.nasl - Type : ACT_GATHER_INFO
2012-06-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1047.nasl - Type : ACT_GATHER_INFO
2012-06-27 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1037.nasl - Type : ACT_GATHER_INFO
2012-06-26 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1036.nasl - Type : ACT_GATHER_INFO
2012-06-26 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1036.nasl - Type : ACT_GATHER_INFO
2012-06-26 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1037.nasl - Type : ACT_GATHER_INFO
2012-06-20 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1481-1.nasl - Type : ACT_GATHER_INFO
2012-06-18 Name : The remote Fedora host is missing a security update.
File : fedora_2012-8893.nasl - Type : ACT_GATHER_INFO
2012-06-18 Name : The remote Fedora host is missing a security update.
File : fedora_2012-8915.nasl - Type : ACT_GATHER_INFO
2012-06-18 Name : The remote Fedora host is missing a security update.
File : fedora_2012-8924.nasl - Type : ACT_GATHER_INFO
2012-06-15 Name : The remote web server uses a version of PHP that is affected by multiple vuln...
File : php_5_4_4.nasl - Type : ACT_GATHER_INFO
2012-06-15 Name : The remote web server uses a version of PHP that is affected by multiple vuln...
File : php_5_3_14.nasl - Type : ACT_GATHER_INFO
2012-06-15 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2012-093.nasl - Type : ACT_GATHER_INFO
2012-06-15 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2012-092.nasl - Type : ACT_GATHER_INFO
2012-06-06 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_postgresql-8071.nasl - Type : ACT_GATHER_INFO
2012-06-06 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1461-1.nasl - Type : ACT_GATHER_INFO
2012-05-31 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_a8864f8faa9e11e1a2840023ae8e59f0.nasl - Type : ACT_GATHER_INFO
2012-05-22 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-0678.nasl - Type : ACT_GATHER_INFO
2012-05-22 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-0677.nasl - Type : ACT_GATHER_INFO
2012-05-22 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0677.nasl - Type : ACT_GATHER_INFO
2012-05-22 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0678.nasl - Type : ACT_GATHER_INFO
2012-03-08 Name : The remote Fedora host is missing a security update.
File : fedora_2012-2589.nasl - Type : ACT_GATHER_INFO
2012-03-08 Name : The remote Fedora host is missing a security update.
File : fedora_2012-2591.nasl - Type : ACT_GATHER_INFO
2012-03-07 Name : The remote Fedora host is missing a security update.
File : fedora_2012-2508.nasl - Type : ACT_GATHER_INFO
2012-03-01 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2012-026.nasl - Type : ACT_GATHER_INFO
2012-02-29 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1378-1.nasl - Type : ACT_GATHER_INFO
2012-02-29 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_174b8864623711e1be1814dae938ec40.nasl - Type : ACT_GATHER_INFO
2012-02-28 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2418.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:37:36
  • Multiple Updates
2013-01-04 13:20:56
  • Multiple Updates