Executive Summary
Summary | |
---|---|
Title | postgresql and postgresql84 security update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:1475 | First vendor Publication | 2013-10-29 |
Vendor | RedHat | Last vendor Modification | 2013-10-29 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 8.5 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated postgresql and postgresql84 packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). An array index error, leading to a heap-based out-of-bounds buffer read flaw, was found in the way PostgreSQL performed certain error processing using enumeration types. An unprivileged database user could issue a specially crafted SQL query that, when processed by the server component of the PostgreSQL service, would lead to a denial of service (daemon crash) or disclosure of certain portions of server memory. (CVE-2013-0255) A flaw was found in the way the pgcrypto contrib module of PostgreSQL (re)initialized its internal random number generator. This could lead to random numbers with less bits of entropy being used by certain pgcrypto functions, possibly allowing an attacker to conduct other attacks. (CVE-2013-1900) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Sumit Soni via Secunia SVCRP as the original reporter of CVE-2013-0255, and Marko Kreen as the original reporter of CVE-2013-1900. These updated packages upgrade PostgreSQL to version 8.4.18, which fixes these issues as well as several non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release-8-4-18.html After installing this update, it is advisable to rebuild, using the REINDEX command, Generalized Search Tree (GiST) indexes that meet one or more of the following conditions: - - GiST indexes on box, polygon, circle, or point columns - - GiST indexes for variable-width data types, that is text, bytea, bit, and numeric - - GiST multi-column indexes All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 907892 - CVE-2013-0255 postgresql: array indexing error in enum_recv() 929255 - CVE-2013-1900 postgresql: Improper randomization of pgcrypto functions (requiring random seed) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-1475.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17945 | |||
Oval ID: | oval:org.mitre.oval:def:17945 | ||
Title: | USN-1717-1 -- postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerability | ||
Description: | PostgreSQL could be made to crash if it received specially crafted input. Software Description: - postgresql-9.1: Object-relational SQL database - postgresql-8.4: Object-relational SQL database - postgresql-8.3: Object-relational SQL database Details: Sumit Soni discovered that PostgreSQL incorrectly handled calling a certa in internal function with invalid arguments. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1717-1 CVE-2013-0255 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | postgresql-9.1 postgresql-8.4 postgresql-8.3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20093 | |||
Oval ID: | oval:org.mitre.oval:def:20093 | ||
Title: | DSA-2630-1 postgresql-8.4 - programming error | ||
Description: | Sumit Soni discovered that PostgreSQL, an object-relational SQL database, could be forced to crash when an internal function was called with invalid arguments, resulting in denial of service. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2630-1 CVE-2013-0255 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | postgresql-8.4 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26108 | |||
Oval ID: | oval:org.mitre.oval:def:26108 | ||
Title: | SUSE-SU-2013:0517-1 -- Security update for PostgreSQL | ||
Description: | PostgreSQL has been updated to version 9.1.8 which fixes various bugs and one security issue. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0517-1 CVE-2013-0255 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | PostgreSQL |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2013-09-19 | IAVM : 2013-A-0179 - Apple Mac OS X Security Update 2013-004 Severity : Category I - VMSKEY : V0040373 |
2013-04-11 | IAVM : 2013-B-0035 - Multiple Vulnerabilities in PostgreSQL Severity : Category I - VMSKEY : V0037619 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-15.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-307.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-306.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-139.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-244.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131029_postgresql_and_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1475.nasl - Type : ACT_GATHER_INFO |
2013-10-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1475.nasl - Type : ACT_GATHER_INFO |
2013-10-30 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1475.nasl - Type : ACT_GATHER_INFO |
2013-09-17 | Name : The remote host is missing a security update for OS X Server. File : macosx_server_2_2_2.nasl - Type : ACT_GATHER_INFO |
2013-09-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_8_5.nasl - Type : ACT_GATHER_INFO |
2013-09-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-004.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-178.nasl - Type : ACT_GATHER_INFO |
2013-04-22 | Name : The remote Fedora host is missing a security update. File : fedora_2013-6148.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-142.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_3f332f169b6b11e28fe908002798f6ff.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote database server is affected by an issue in the random number gener... File : postgresql_cve20131900.nasl - Type : ACT_GATHER_INFO |
2013-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2013-5000.nasl - Type : ACT_GATHER_INFO |
2013-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2013-4951.nasl - Type : ACT_GATHER_INFO |
2013-04-07 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libecpg6-130402.nasl - Type : ACT_GATHER_INFO |
2013-04-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2657.nasl - Type : ACT_GATHER_INFO |
2013-04-05 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1789-1.nasl - Type : ACT_GATHER_INFO |
2013-03-26 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libecpg6-130213.nasl - Type : ACT_GATHER_INFO |
2013-03-26 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-130213.nasl - Type : ACT_GATHER_INFO |
2013-02-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2630.nasl - Type : ACT_GATHER_INFO |
2013-02-18 | Name : The remote database server is affected by a denial of service vulnerability. File : postgresql_20130207.nasl - Type : ACT_GATHER_INFO |
2013-02-18 | Name : The remote Fedora host is missing a security update. File : fedora_2013-2152.nasl - Type : ACT_GATHER_INFO |
2013-02-17 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-012.nasl - Type : ACT_GATHER_INFO |
2013-02-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1717-1.nasl - Type : ACT_GATHER_INFO |
2013-02-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-2123.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:57:32 |
|
2013-10-30 00:19:24 |
|