Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2009:333 | First vendor Publication | 2009-12-15 |
Vendor | Mandriva | Last vendor Modification | 2009-12-15 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities was discovered and corrected in postgresql: NULL Bytes in SSL Certificates can be used to falsify client or server authentication. This only affects users who have SSL enabled, perform certificate name validation or client certificate authentication, and where the Certificate Authority (CA) has been tricked into issuing invalid certificates. The use of a CA that can be trusted to always issue valid certificates is recommended to ensure you are not vulnerable to this issue (CVE-2009-4034). Privilege escalation via changing session state in an index function. This closes a corner case related to vulnerabilities CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136). Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides a solution to these vulnerabilities. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2009:333 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
CAPEC-13 | Subverting Environment Variable Values |
CAPEC-17 | Accessing, Modifying or Executing Executable Files |
CAPEC-39 | Manipulating Opaque Client-based Data Tokens |
CAPEC-45 | Buffer Overflow via Symbolic Links |
CAPEC-51 | Poison Web Service Registry |
CAPEC-59 | Session Credential Falsification through Prediction |
CAPEC-60 | Reusing Session IDs (aka Session Replay) |
CAPEC-76 | Manipulating Input to File System Calls |
CAPEC-77 | Manipulating User-Controlled Variables |
CAPEC-87 | Forceful Browsing |
CAPEC-104 | Cross Zone Scripting |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-264 | Permissions, Privileges, and Access Controls |
33 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:16775 | |||
Oval ID: | oval:org.mitre.oval:def:16775 | ||
Title: | USN-568-1 -- postgresql vulnerabilities | ||
Description: | Nico Leidecker discovered that PostgreSQL did not properly restrict dblink functions. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-568-1 CVE-2007-3278 CVE-2007-6601 CVE-2007-4769 CVE-2007-4772 CVE-2007-6067 CVE-2007-6600 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | postgresql-8.1 postgresql-8.2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22642 | |||
Oval ID: | oval:org.mitre.oval:def:22642 | ||
Title: | ELSA-2009:1484: postgresql security update (Moderate) | ||
Description: | The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1484-01 CVE-2009-0922 CVE-2009-3230 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | postgresql |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-02-12 | Name : Gentoo Security Advisory GLSA 201110-22 (postgresql-server postgresql-base) File : nvt/glsa_201110_22.nasl |
2011-08-09 | Name : CentOS Update for postgresql CESA-2010:0429 centos5 i386 File : nvt/gb_CESA-2010_0429_postgresql_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for rh-postgresql CESA-2009:1485 centos3 i386 File : nvt/gb_CESA-2009_1485_rh-postgresql_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for postgresql CESA-2009:1484 centos5 i386 File : nvt/gb_CESA-2009_1484_postgresql_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for postgresql CESA-2009:1484 centos4 i386 File : nvt/gb_CESA-2009_1484_postgresql_centos4_i386.nasl |
2010-05-28 | Name : RedHat Update for postgresql RHSA-2010:0427-01 File : nvt/gb_RHSA-2010_0427-01_postgresql.nasl |
2010-05-28 | Name : CentOS Update for postgresql CESA-2010:0428 centos4 i386 File : nvt/gb_CESA-2010_0428_postgresql_centos4_i386.nasl |
2010-05-28 | Name : CentOS Update for rh-postgresql CESA-2010:0427 centos3 i386 File : nvt/gb_CESA-2010_0427_rh-postgresql_centos3_i386.nasl |
2010-05-28 | Name : RedHat Update for postgresql RHSA-2010:0429-01 File : nvt/gb_RHSA-2010_0429-01_postgresql.nasl |
2010-05-28 | Name : RedHat Update for postgresql RHSA-2010:0428-01 File : nvt/gb_RHSA-2010_0428-01_postgresql.nasl |
2010-01-15 | Name : Ubuntu Update for PostgreSQL vulnerabilities USN-876-1 File : nvt/gb_ubuntu_USN_876_1.nasl |
2009-12-30 | Name : Fedora Core 11 FEDORA-2009-13363 (postgresql) File : nvt/fcore_2009_13363.nasl |
2009-12-30 | Name : Fedora Core 12 FEDORA-2009-13381 (postgresql) File : nvt/fcore_2009_13381.nasl |
2009-12-30 | Name : FreeBSD Ports: postgresql-client, postgresql-server File : nvt/freebsd_postgresql-client.nasl |
2009-12-16 | Name : PostgreSQL NULL Character CA SSL Certificate Validation Security Bypass Vulne... File : nvt/postgressql_37334.nasl |
2009-12-14 | Name : Mandriva Security Advisory MDVSA-2009:251-1 (postgresql8.2) File : nvt/mdksa_2009_251_1.nasl |
2009-10-27 | Name : SuSE Security Summary SUSE-SR:2009:017 File : nvt/suse_sr_2009_017.nasl |
2009-10-19 | Name : SuSE Security Summary SUSE-SR:2009:016 File : nvt/suse_sr_2009_016.nasl |
2009-10-13 | Name : RedHat Security Advisory RHSA-2009:1484 File : nvt/RHSA_2009_1484.nasl |
2009-10-13 | Name : CentOS Security Advisory CESA-2009:1484 (postgresql) File : nvt/ovcesa2009_1484.nasl |
2009-10-13 | Name : CentOS Security Advisory CESA-2009:1485 (postgresql) File : nvt/ovcesa2009_1485.nasl |
2009-10-13 | Name : SLES10: Security update for PostgreSQL File : nvt/sles10_postgresql0.nasl |
2009-10-13 | Name : SLES10: Security update for PostgreSQL File : nvt/sles10_postgresql1.nasl |
2009-10-13 | Name : RedHat Security Advisory RHSA-2009:1485 File : nvt/RHSA_2009_1485.nasl |
2009-10-11 | Name : SLES11: Security update for PostgreSQL File : nvt/sles11_postgresql0.nasl |
2009-10-10 | Name : SLES9: Security update for PostgreSQL File : nvt/sles9p5059340.nasl |
2009-10-10 | Name : SLES9: Security update for postgresql File : nvt/sles9p5021809.nasl |
2009-10-06 | Name : Debian Security Advisory DSA 1900-1 (postgresql-7.4, postgresql-8.1, postgres... File : nvt/deb_1900_1.nasl |
2009-10-01 | Name : PostgreSQL Multiple Security Vulnerabilities File : nvt/postgreSQL_multiple_security_vulnerabilities.nasl |
2009-09-28 | Name : Ubuntu USN-834-1 (postgresql-8.3) File : nvt/ubuntu_834_1.nasl |
2009-09-28 | Name : RedHat Security Advisory RHSA-2009:1461 File : nvt/RHSA_2009_1461.nasl |
2009-09-15 | Name : Fedora Core 11 FEDORA-2009-9473 (postgresql) File : nvt/fcore_2009_9473.nasl |
2009-09-15 | Name : Fedora Core 10 FEDORA-2009-9474 (postgresql) File : nvt/fcore_2009_9474.nasl |
2009-04-09 | Name : Mandriva Update for postgresql MDVSA-2008:004 (postgresql) File : nvt/gb_mandriva_MDVSA_2008_004.nasl |
2009-03-23 | Name : Ubuntu Update for postgresql vulnerabilities USN-568-1 File : nvt/gb_ubuntu_USN_568_1.nasl |
2009-03-06 | Name : RedHat Update for postgresql RHSA-2008:0038-01 File : nvt/gb_RHSA-2008_0038-01_postgresql.nasl |
2009-03-06 | Name : RedHat Update for postgresql RHSA-2008:0039-01 File : nvt/gb_RHSA-2008_0039-01_postgresql.nasl |
2009-02-27 | Name : CentOS Update for postgresql CESA-2008:0038 centos4 i386 File : nvt/gb_CESA-2008_0038_postgresql_centos4_i386.nasl |
2009-02-27 | Name : CentOS Update for postgresql CESA-2008:0038 centos4 x86_64 File : nvt/gb_CESA-2008_0038_postgresql_centos4_x86_64.nasl |
2009-02-27 | Name : CentOS Update for rh-postgresql CESA-2008:0039 centos3 i386 File : nvt/gb_CESA-2008_0039_rh-postgresql_centos3_i386.nasl |
2009-02-27 | Name : CentOS Update for rh-postgresql CESA-2008:0039 centos3 x86_64 File : nvt/gb_CESA-2008_0039_rh-postgresql_centos3_x86_64.nasl |
2009-02-17 | Name : Fedora Update for postgresql FEDORA-2008-0552 File : nvt/gb_fedora_2008_0552_postgresql_fc7.nasl |
2009-02-17 | Name : Fedora Update for postgresql FEDORA-2008-0478 File : nvt/gb_fedora_2008_0478_postgresql_fc8.nasl |
2009-01-23 | Name : SuSE Update for postgresql SUSE-SA:2008:005 File : nvt/gb_suse_2008_005.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200801-15 (postgresql) File : nvt/glsa_200801_15.nasl |
2008-09-04 | Name : FreeBSD Ports: postgresql, postgresql-server File : nvt/freebsd_postgresql4.nasl |
2008-01-31 | Name : Debian Security Advisory DSA 1463-1 (postgresql-7.4) File : nvt/deb_1463_1.nasl |
2008-01-31 | Name : Debian Security Advisory DSA 1460-1 (postgresql-8.1) File : nvt/deb_1460_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61039 | PostgreSQL Index Function Session Manipulation Privilege Escalation |
61038 | PostgreSQL SSL Certificate Authority (CA) Null Byte Handling MiTM Weakness |
57901 | PostgreSQL RESET SESSION AUTHORIZATION Remote Privilege Escalation |
40904 | PostgreSQL Multiple Operation Remote Privilege Escalation |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0429.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0038.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0039.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1484.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1485.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0427.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0428.nasl - Type : ACT_GATHER_INFO |
2012-12-28 | Name : The remote database server is affected by multiple vulnerabilities. File : postgresql_20091214.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20091007_postgresql_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100519_postgresql_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080111_postgresql_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-10-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-22.nasl - Type : ACT_GATHER_INFO |
2011-03-17 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-100111.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-6535.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-6768.nasl - Type : ACT_GATHER_INFO |
2010-06-01 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0429.nasl - Type : ACT_GATHER_INFO |
2010-05-24 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0428.nasl - Type : ACT_GATHER_INFO |
2010-05-24 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0427.nasl - Type : ACT_GATHER_INFO |
2010-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0427.nasl - Type : ACT_GATHER_INFO |
2010-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0429.nasl - Type : ACT_GATHER_INFO |
2010-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0428.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1964.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1900.nasl - Type : ACT_GATHER_INFO |
2010-01-19 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12571.nasl - Type : ACT_GATHER_INFO |
2010-01-19 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_postgresql-100108.nasl - Type : ACT_GATHER_INFO |
2010-01-19 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_postgresql-100108.nasl - Type : ACT_GATHER_INFO |
2010-01-19 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_postgresql-100111.nasl - Type : ACT_GATHER_INFO |
2010-01-19 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-100108.nasl - Type : ACT_GATHER_INFO |
2010-01-19 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-6767.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1484.nasl - Type : ACT_GATHER_INFO |
2010-01-04 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-876-1.nasl - Type : ACT_GATHER_INFO |
2009-12-18 | Name : The remote Fedora host is missing a security update. File : fedora_2009-13381.nasl - Type : ACT_GATHER_INFO |
2009-12-18 | Name : The remote Fedora host is missing a security update. File : fedora_2009-13363.nasl - Type : ACT_GATHER_INFO |
2009-12-17 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e7bc5600eaa011debd9c00215c6a37bb.nasl - Type : ACT_GATHER_INFO |
2009-12-16 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-333.nasl - Type : ACT_GATHER_INFO |
2009-10-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1485.nasl - Type : ACT_GATHER_INFO |
2009-10-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1484.nasl - Type : ACT_GATHER_INFO |
2009-10-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1485.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_postgresql-6502.nasl - Type : ACT_GATHER_INFO |
2009-10-02 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-251.nasl - Type : ACT_GATHER_INFO |
2009-09-29 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_postgresql-090917.nasl - Type : ACT_GATHER_INFO |
2009-09-29 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_postgresql-090917.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-6500.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12509.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-090917.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12065.nasl - Type : ACT_GATHER_INFO |
2009-09-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-834-1.nasl - Type : ACT_GATHER_INFO |
2009-09-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9474.nasl - Type : ACT_GATHER_INFO |
2009-09-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9473.nasl - Type : ACT_GATHER_INFO |
2009-06-28 | Name : The remote host is missing Sun Security Patch number 138826-12 File : solaris10_138826.nasl - Type : ACT_GATHER_INFO |
2009-06-28 | Name : The remote host is missing Sun Security Patch number 138827-12 File : solaris10_x86_138827.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-004.nasl - Type : ACT_GATHER_INFO |
2008-04-28 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_51436b4c125011ddbab70016179b2dd5.nasl - Type : ACT_GATHER_INFO |
2008-02-11 | Name : The remote openSUSE host is missing a security update. File : suse_postgresql-4955.nasl - Type : ACT_GATHER_INFO |
2008-02-06 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-4962.nasl - Type : ACT_GATHER_INFO |
2008-02-06 | Name : The remote openSUSE host is missing a security update. File : suse_postgresql-4958.nasl - Type : ACT_GATHER_INFO |
2008-02-05 | Name : The remote host is missing Sun Security Patch number 136998-10 File : solaris10_136998.nasl - Type : ACT_GATHER_INFO |
2008-02-05 | Name : The remote host is missing Sun Security Patch number 136999-10 File : solaris10_x86_136999.nasl - Type : ACT_GATHER_INFO |
2008-01-29 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200801-15.nasl - Type : ACT_GATHER_INFO |
2008-01-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1463.nasl - Type : ACT_GATHER_INFO |
2008-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-568-1.nasl - Type : ACT_GATHER_INFO |
2008-01-14 | Name : The remote Fedora host is missing a security update. File : fedora_2008-0552.nasl - Type : ACT_GATHER_INFO |
2008-01-14 | Name : The remote Fedora host is missing a security update. File : fedora_2008-0478.nasl - Type : ACT_GATHER_INFO |
2008-01-14 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0038.nasl - Type : ACT_GATHER_INFO |
2008-01-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0038.nasl - Type : ACT_GATHER_INFO |
2008-01-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1460.nasl - Type : ACT_GATHER_INFO |
2008-01-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0039.nasl - Type : ACT_GATHER_INFO |
2008-01-14 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0039.nasl - Type : ACT_GATHER_INFO |
2007-03-18 | Name : The remote host is missing Sun Security Patch number 123591-12 File : solaris10_x86_123591.nasl - Type : ACT_GATHER_INFO |
2007-03-18 | Name : The remote host is missing Sun Security Patch number 123590-12 File : solaris10_123590.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:41:06 |
|
2013-05-11 00:47:57 |
|