Executive Summary

Summary
Title postgresql and postgresql84 security update
Informations
Name RHSA-2012:1263 First vendor Publication 2012-09-13
Vendor RedHat Last vendor Modification 2012-09-13
Severity (Vendor) Moderate Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Cvss Base Score 4.9 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated postgresql84 and postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT). An unprivileged database user could use this flaw to read and write to local files (such as the database's configuration files) and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query. (CVE-2012-3488)

It was found that the "xml" data type allowed local files and remote URLs to be read with the privileges of the database server to resolve DTD and entity references in the provided XML. An unprivileged database user could use this flaw to read local files they would otherwise not have access to by issuing a specially-crafted SQL query. Note that the full contents of the files were not returned, but portions could be displayed to the user via error messages. (CVE-2012-3489)

Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Peter Eisentraut as the original reporter of CVE-2012-3488, and Noah Misch as the original reporter of CVE-2012-3489.

These updated packages upgrade PostgreSQL to version 8.4.13. Refer to the PostgreSQL Release Notes for a list of changes:

http://www.postgresql.org/docs/8.4/static/release-8-4-13.html

All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update.

4. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

849172 - CVE-2012-3488 postgresql (xml2 contrib module): XXE by applying XSL stylesheet to the document 849173 - CVE-2012-3489 postgresql: File disclosure through XXE in xmlparse by DTD validation

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2012-1263.html

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-611 Information Leak Through XML External Entity File Disclosure
50 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:17821
 
Oval ID: oval:org.mitre.oval:def:17821
Title: USN-1542-1 -- postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities
Description: PostgreSQL could allow unintended access to files over the network when using the XML2 extension.
Family: unix Class: patch
Reference(s): USN-1542-1
CVE-2012-3488
CVE-2012-3489
Version: 7
Platform(s): Ubuntu 12.04
Ubuntu 11.10
Ubuntu 11.04
Ubuntu 10.04
Ubuntu 8.04
Product(s): postgresql-9.1
postgresql-8.4
postgresql-8.3
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18474
 
Oval ID: oval:org.mitre.oval:def:18474
Title: DSA-2534-1 postgresql-8.4 - several
Description: Two vulnerabilities related to XML processing were discovered in PostgreSQL, an SQL database.
Family: unix Class: patch
Reference(s): DSA-2534-1
CVE-2012-3488
CVE-2012-3489
Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): postgresql-8.4
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21356
 
Oval ID: oval:org.mitre.oval:def:21356
Title: RHSA-2012:1263: postgresql and postgresql84 security update (Moderate)
Description: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): RHSA-2012:1263-01
CESA-2012:1263
CVE-2012-3488
CVE-2012-3489
Version: 29
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21547
 
Oval ID: oval:org.mitre.oval:def:21547
Title: RHSA-2012:1264: postgresql security update (Moderate)
Description: The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): RHSA-2012:1264-00
CESA-2012:1264
CVE-2012-3488
Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23197
 
Oval ID: oval:org.mitre.oval:def:23197
Title: ELSA-2012:1264: postgresql security update (Moderate)
Description: The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): ELSA-2012:1264-00
CVE-2012-3488
Version: 6
Platform(s): Oracle Linux 5
Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23390
 
Oval ID: oval:org.mitre.oval:def:23390
Title: DEPRECATED: ELSA-2012:1263: postgresql and postgresql84 security update (Moderate)
Description: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): ELSA-2012:1263-01
CVE-2012-3488
CVE-2012-3489
Version: 14
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23579
 
Oval ID: oval:org.mitre.oval:def:23579
Title: ELSA-2012:1263: postgresql and postgresql84 security update (Moderate)
Description: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Family: unix Class: patch
Reference(s): ELSA-2012:1263-01
CVE-2012-3488
CVE-2012-3489
Version: 13
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): postgresql84
postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27283
 
Oval ID: oval:org.mitre.oval:def:27283
Title: DEPRECATED: ELSA-2012-1264 -- postgresql security update (moderate)
Description: [8.1.23-6] - Back-port upstream fix for CVE-2012-3488 Resolves: #852015
Family: unix Class: patch
Reference(s): ELSA-2012-1264
CVE-2012-3488
Version: 4
Platform(s): Oracle Linux 5
Product(s): postgresql
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27787
 
Oval ID: oval:org.mitre.oval:def:27787
Title: DEPRECATED: ELSA-2012-1263 -- postgresql and postgresql84 security update (moderate)
Description: [8.4.13-1] - Update to PostgreSQL 8.4.13, for various fixes described at http://www.postgresql.org/docs/8.4/static/release-8-4-13.html including the fixes for CVE-2012-3488, CVE-2012-3489 Resolves: #852020
Family: unix Class: patch
Reference(s): ELSA-2012-1263
CVE-2012-3488
CVE-2012-3489
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): postgresql84
postgresql
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 260
Os 80
Os 5
Os 1
Os 3
Os 2
Os 1
Os 2
Os 2

OpenVAS Exploits

Date Description
2013-09-18 Name : Debian Security Advisory DSA 2534-1 (postgresql-8.4 - several vulnerabilities)
File : nvt/deb_2534_1.nasl
2012-10-03 Name : Gentoo Security Advisory GLSA 201209-24 (PostgreSQL)
File : nvt/glsa_201209_24.nasl
2012-09-17 Name : CentOS Update for postgresql84 CESA-2012:1263 centos5
File : nvt/gb_CESA-2012_1263_postgresql84_centos5.nasl
2012-09-17 Name : CentOS Update for postgresql CESA-2012:1263 centos6
File : nvt/gb_CESA-2012_1263_postgresql_centos6.nasl
2012-09-17 Name : CentOS Update for postgresql CESA-2012:1264 centos5
File : nvt/gb_CESA-2012_1264_postgresql_centos5.nasl
2012-09-17 Name : RedHat Update for postgresql and postgresql84 RHSA-2012:1263-01
File : nvt/gb_RHSA-2012_1263-01_postgresql_and_postgresql84.nasl
2012-09-17 Name : RedHat Update for postgresql RHSA-2012:1264-01
File : nvt/gb_RHSA-2012_1264-01_postgresql.nasl
2012-08-30 Name : FreeBSD Ports: postgresql-server
File : nvt/freebsd_postgresql-server2.nasl
2012-08-30 Name : Fedora Update for postgresql FEDORA-2012-12156
File : nvt/gb_fedora_2012_12156_postgresql_fc16.nasl
2012-08-30 Name : Fedora Update for postgresql FEDORA-2012-12165
File : nvt/gb_fedora_2012_12165_postgresql_fc17.nasl
2012-08-21 Name : Mandriva Update for postgresql MDVSA-2012:139 (postgresql)
File : nvt/gb_mandriva_MDVSA_2012_139.nasl
2012-08-21 Name : Ubuntu Update for postgresql-9.1 USN-1542-1
File : nvt/gb_ubuntu_USN_1542_1.nasl

Nessus® Vulnerability Scanner

Date Description
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2012-1336-1.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-675.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-667.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-650.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-129.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-121.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1263.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1264.nasl - Type : ACT_GATHER_INFO
2013-03-15 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2013-001.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_postgresql-120820.nasl - Type : ACT_GATHER_INFO
2012-12-28 Name : The remote database server is affected by multiple vulnerabilities.
File : postgresql_20120817.nasl - Type : ACT_GATHER_INFO
2012-11-02 Name : The remote host is missing an update for OS X Server that fixes several secur...
File : macosx_server_2_1_1.nasl - Type : ACT_GATHER_INFO
2012-10-15 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_postgresql-8311.nasl - Type : ACT_GATHER_INFO
2012-09-29 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201209-24.nasl - Type : ACT_GATHER_INFO
2012-09-15 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120913_postgresql_and_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-09-15 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120913_postgresql_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1263.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1263.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1264.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1264.nasl - Type : ACT_GATHER_INFO
2012-09-06 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2012-139.nasl - Type : ACT_GATHER_INFO
2012-08-27 Name : The remote Fedora host is missing a security update.
File : fedora_2012-12156.nasl - Type : ACT_GATHER_INFO
2012-08-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2534.nasl - Type : ACT_GATHER_INFO
2012-08-27 Name : The remote Fedora host is missing a security update.
File : fedora_2012-12165.nasl - Type : ACT_GATHER_INFO
2012-08-21 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1542-1.nasl - Type : ACT_GATHER_INFO
2012-08-20 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_07234e78e89911e1b38d0023ae8e59f0.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-02-17 11:56:21
  • Multiple Updates
2013-10-09 17:23:43
  • Multiple Updates
2013-10-09 00:22:47
  • Multiple Updates