Executive Summary
| Summary | |
|---|---|
| Title | New PostgreSQL packages fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-165 | First vendor Publication | 2002-09-12 |
| Vendor | Debian | Last vendor Modification | 2002-09-12 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Mordred Labs and others found several vulnerabilities in PostgreSQL, an object-relational SQL database. They are inherited from several buffer overflows and integer overflows. Specially crafted long date and time input, currency, repeat data and long timezone names could cause the PostgreSQL server to crash as well as specially crafted input data for lpad() and rpad(). More buffer/integer overflows were found in circle_poly(), path_encode() and path_addr(). Except for the last three, these problems are fixed in the upstream release 7.2.2 of PostgreSQL which is the recommended version to use. Most of these problems do not exist in the version of PostgreSQL that Debian ships in the potato release since the corresponding functionality is not yet implemented. However, PostgreSQL 6.5.3 is quite old and may bear more risks than we are aware of, which may include further buffer overflows, and certainly include bugs that threaten the integrity of your data. You are strongly advised not to use this release but to upgrade your system to Debian 3.0 (stable) including PostgreSQL release 7.2.1 instead, where many bugs have been fixed and new features introduced to increase compatibility with the SQL standards. If you consider an upgrade, please make sure to dump the entire database system using the pg_dumpall utility. Please take into consideration that the newer PostgreSQL is more strict in its input handling. This means that tests line "foo = NULL" which are not valid won't be accepted anymore. It also means that when using UNICODE encoding, ISO 8859-1 and ISO 8859-15 are no longer valid incoding to use when inserting data into the relation. In such a case you are advised to convert the dump in question using recode latin1..utf-16. These problems have been fixed in version 7.2.1-2woody2 for the current stable distribution (woody) and in version 7.2.2-2 for the unstable distribution (sid). The old stable distribution (potato) is partially affected and we ship a fixed version 6.5.3-27.2 for it. We recommend that you upgrade your PostgreSQL packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato |
Original Source
| Url : http://www.debian.org/security/2002/dsa-165 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 165-1 (postgresql) File : nvt/deb_165_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 11831 | PostgreSQL circle_poly() Function Overflow |
| 11830 | PostgreSQL path_add() Function Overflow |
| 11829 | PostgreSQL path_encode() Function Overflow |
| 9505 | PostgreSQL Multiple Time Zone Variable Local Overflows |
| 6190 | PostgreSQL Date Parser Overflow DoS A local overflow exists in PostgreSQL. The date parser fails to validate input resulting in a buffer overflow. With a specially crafted request, an attacker can cause the database to crash resulting in a loss of availability. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-165.nasl - Type : ACT_GATHER_INFO |
| 2004-07-31 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2002-062.nasl - Type : ACT_GATHER_INFO |
| 2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2002-301.nasl - Type : ACT_GATHER_INFO |
| 2003-03-24 | Name : Arbitrary commands may be run on the remote server. File : postgresql_multiple_flaws.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:27:55 |
|
