Executive Summary
Summary | |
---|---|
Title | New PostgreSQL packages fix various problems |
Informations | |||
---|---|---|---|
Name | DSA-1900 | First vendor Publication | 2009-10-02 |
Vendor | Debian | Last vendor Modification | 2009-10-02 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in PostgreSQL, an SQL database system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3229 Authenticated users can shut down the backend server by re-LOAD-ing libraries in $libdir/plugins, if any libraries are present there. (The old stable distribution (etch) is not affected by this issue.) CVE-2009-3230 Authenticated non-superusers can gain database superuser privileges if they can create functions and tables due to incorrect execution of functions in functional indexes. CVE-2009-3231 If PostgreSQL is configured with LDAP authentication, and the LDAP configuration allows anonymous binds, it is possible for a user to authenticate themselves with an empty password. (The old stable distribution (etch) is not affected by this issue.) In addition, this update contains reliability improvements which do not target security issues. For the old stable distribution (etch), these problems have been fixed in version 7.4.26-0etch1 of the postgresql-7.4 source package, and version 8.1.18-0etch1 of the postgresql-8.1 source package. For the stable distribution (lenny), these problems have been fixed in version 8.3.8-0lenny1 of the postgresql-8.3 source package. For the unstable distribution (sid), these problems have been fixed in version 8.3.8-1 of the postgresql-8.3 source package, and version 8.4.1-1 of the postgresql-8.4 source package. We recommend that you upgrade your PostgreSQL packages. |
Original Source
Url : http://www.debian.org/security/2009/dsa-1900 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
CAPEC-13 | Subverting Environment Variable Values |
CAPEC-17 | Accessing, Modifying or Executing Executable Files |
CAPEC-22 | Exploiting Trust in Client (aka Make the Client Invisible) |
CAPEC-39 | Manipulating Opaque Client-based Data Tokens |
CAPEC-45 | Buffer Overflow via Symbolic Links |
CAPEC-51 | Poison Web Service Registry |
CAPEC-57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle |
CAPEC-59 | Session Credential Falsification through Prediction |
CAPEC-60 | Reusing Session IDs (aka Session Replay) |
CAPEC-76 | Manipulating Input to File System Calls |
CAPEC-77 | Manipulating User-Controlled Variables |
CAPEC-87 | Forceful Browsing |
CAPEC-94 | Man in the Middle Attack |
CAPEC-104 | Cross Zone Scripting |
CAPEC-114 | Authentication Abuse |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-287 | Improper Authentication |
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:22642 | |||
Oval ID: | oval:org.mitre.oval:def:22642 | ||
Title: | ELSA-2009:1484: postgresql security update (Moderate) | ||
Description: | The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1484-01 CVE-2009-0922 CVE-2009-3230 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | postgresql |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-02-12 | Name : Gentoo Security Advisory GLSA 201110-22 (postgresql-server postgresql-base) File : nvt/glsa_201110_22.nasl |
2011-08-09 | Name : CentOS Update for postgresql CESA-2009:1484 centos4 i386 File : nvt/gb_CESA-2009_1484_postgresql_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for postgresql CESA-2009:1484 centos5 i386 File : nvt/gb_CESA-2009_1484_postgresql_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for rh-postgresql CESA-2009:1485 centos3 i386 File : nvt/gb_CESA-2009_1485_rh-postgresql_centos3_i386.nasl |
2009-12-30 | Name : FreeBSD Ports: postgresql-client, postgresql-server File : nvt/freebsd_postgresql-client.nasl |
2009-12-14 | Name : Mandriva Security Advisory MDVSA-2009:251-1 (postgresql8.2) File : nvt/mdksa_2009_251_1.nasl |
2009-10-27 | Name : SuSE Security Summary SUSE-SR:2009:017 File : nvt/suse_sr_2009_017.nasl |
2009-10-19 | Name : SuSE Security Summary SUSE-SR:2009:016 File : nvt/suse_sr_2009_016.nasl |
2009-10-13 | Name : RedHat Security Advisory RHSA-2009:1484 File : nvt/RHSA_2009_1484.nasl |
2009-10-13 | Name : SLES10: Security update for PostgreSQL File : nvt/sles10_postgresql0.nasl |
2009-10-13 | Name : CentOS Security Advisory CESA-2009:1485 (postgresql) File : nvt/ovcesa2009_1485.nasl |
2009-10-13 | Name : CentOS Security Advisory CESA-2009:1484 (postgresql) File : nvt/ovcesa2009_1484.nasl |
2009-10-13 | Name : RedHat Security Advisory RHSA-2009:1485 File : nvt/RHSA_2009_1485.nasl |
2009-10-11 | Name : SLES11: Security update for PostgreSQL File : nvt/sles11_postgresql0.nasl |
2009-10-10 | Name : SLES9: Security update for PostgreSQL File : nvt/sles9p5059340.nasl |
2009-10-06 | Name : Debian Security Advisory DSA 1900-1 (postgresql-7.4, postgresql-8.1, postgres... File : nvt/deb_1900_1.nasl |
2009-10-01 | Name : PostgreSQL Multiple Security Vulnerabilities File : nvt/postgreSQL_multiple_security_vulnerabilities.nasl |
2009-09-28 | Name : RedHat Security Advisory RHSA-2009:1461 File : nvt/RHSA_2009_1461.nasl |
2009-09-28 | Name : Ubuntu USN-834-1 (postgresql-8.3) File : nvt/ubuntu_834_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
57918 | PostgreSQL $libdir/plugins Library Reload Backend Server Shutdown DoS |
57917 | PostgreSQL LDAP Anonymous Bind Authentication Bypass |
57901 | PostgreSQL RESET SESSION AUTHORIZATION Remote Privilege Escalation |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1484.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1485.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20091007_postgresql_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-10-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-22.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-6535.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1900.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1484.nasl - Type : ACT_GATHER_INFO |
2009-12-17 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e7bc5600eaa011debd9c00215c6a37bb.nasl - Type : ACT_GATHER_INFO |
2009-12-16 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-333.nasl - Type : ACT_GATHER_INFO |
2009-10-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1485.nasl - Type : ACT_GATHER_INFO |
2009-10-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1485.nasl - Type : ACT_GATHER_INFO |
2009-10-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1484.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_postgresql-6502.nasl - Type : ACT_GATHER_INFO |
2009-10-02 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-251.nasl - Type : ACT_GATHER_INFO |
2009-09-29 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_postgresql-090917.nasl - Type : ACT_GATHER_INFO |
2009-09-29 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_postgresql-090917.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-6500.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-090917.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12509.nasl - Type : ACT_GATHER_INFO |
2009-09-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-834-1.nasl - Type : ACT_GATHER_INFO |
2009-09-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9474.nasl - Type : ACT_GATHER_INFO |
2009-09-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9473.nasl - Type : ACT_GATHER_INFO |
2009-09-11 | Name : The database service running on the remote host has an authentication bypass ... File : postgresql_ldap_auth_bypass.nasl - Type : ACT_GATHER_INFO |
2009-06-28 | Name : The remote host is missing Sun Security Patch number 138827-12 File : solaris10_x86_138827.nasl - Type : ACT_GATHER_INFO |
2009-06-28 | Name : The remote host is missing Sun Security Patch number 138826-12 File : solaris10_138826.nasl - Type : ACT_GATHER_INFO |
2008-02-05 | Name : The remote host is missing Sun Security Patch number 136999-10 File : solaris10_x86_136999.nasl - Type : ACT_GATHER_INFO |
2008-02-05 | Name : The remote host is missing Sun Security Patch number 136998-10 File : solaris10_136998.nasl - Type : ACT_GATHER_INFO |
2007-03-18 | Name : The remote host is missing Sun Security Patch number 123591-12 File : solaris10_x86_123591.nasl - Type : ACT_GATHER_INFO |
2007-03-18 | Name : The remote host is missing Sun Security Patch number 123590-12 File : solaris10_123590.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:28:52 |
|