Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2013:142 | First vendor Publication | 2013-04-11 |
Vendor | Mandriva | Last vendor Modification | 2013-04-11 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 8.5 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities has been discovered and corrected in postgresql: PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read (CVE-2013-0255). Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a - (hyphen) (CVE-2013-1899). PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the contrib/pgcrypto functions. (CVE-2013-1900). PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions (CVE-2013-1901). This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:142 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
25 % | CWE-264 | Permissions, Privileges, and Access Controls |
25 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
25 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
25 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17945 | |||
Oval ID: | oval:org.mitre.oval:def:17945 | ||
Title: | USN-1717-1 -- postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerability | ||
Description: | PostgreSQL could be made to crash if it received specially crafted input. Software Description: - postgresql-9.1: Object-relational SQL database - postgresql-8.4: Object-relational SQL database - postgresql-8.3: Object-relational SQL database Details: Sumit Soni discovered that PostgreSQL incorrectly handled calling a certa in internal function with invalid arguments. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1717-1 CVE-2013-0255 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | postgresql-9.1 postgresql-8.4 postgresql-8.3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18307 | |||
Oval ID: | oval:org.mitre.oval:def:18307 | ||
Title: | DSA-2657-1 postgresql-8.4 - guessable random numbers | ||
Description: | A vulnerability was discovered in PostgreSQL database server. Random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2657-1 CVE-2013-1900 CVE-2013-1899 CVE-2013-1901 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | postgresql-8.4 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18325 | |||
Oval ID: | oval:org.mitre.oval:def:18325 | ||
Title: | USN-1789-1 -- postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities | ||
Description: | Several security issues were fixed in PostgreSQL. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1789-1 CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | postgresql-9.1 postgresql-8.4 postgresql-8.3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20093 | |||
Oval ID: | oval:org.mitre.oval:def:20093 | ||
Title: | DSA-2630-1 postgresql-8.4 - programming error | ||
Description: | Sumit Soni discovered that PostgreSQL, an object-relational SQL database, could be forced to crash when an internal function was called with invalid arguments, resulting in denial of service. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2630-1 CVE-2013-0255 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | postgresql-8.4 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20118 | |||
Oval ID: | oval:org.mitre.oval:def:20118 | ||
Title: | DSA-2658-1 postgresql-9.1 - several | ||
Description: | Several vulnerabilities were discovered in PostgreSQL database server. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2658-1 CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | postgresql-9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25926 | |||
Oval ID: | oval:org.mitre.oval:def:25926 | ||
Title: | SUSE-SU-2013:0633-2 -- Security update for PostgreSQL | ||
Description: | This update of PostgreSQL to version 9.1.9 fixes: * CVE-2013-1899: Fix insecure parsing of server command-line switches. * CVE-2013-1900: Reset OpenSSL randomness state in each postmaster child process. * CVE-2013-1901: Make REPLICATION privilege checks test current user not authenticated user. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0633-2 CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | PostgreSQL |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26051 | |||
Oval ID: | oval:org.mitre.oval:def:26051 | ||
Title: | SUSE-SU-2013:0633-1 -- Security update for PostgreSQL | ||
Description: | This update to version 9.1.9 fixes: * CVE-2013-1899: Fix insecure parsing of server command-line switches. * CVE-2013-1900: Reset OpenSSL randomness state in each postmaster child process. * CVE-2013-1901: Make REPLICATION privilege checks test current user not authenticated user. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0633-1 CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | PostgreSQL |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26108 | |||
Oval ID: | oval:org.mitre.oval:def:26108 | ||
Title: | SUSE-SU-2013:0517-1 -- Security update for PostgreSQL | ||
Description: | PostgreSQL has been updated to version 9.1.8 which fixes various bugs and one security issue. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0517-1 CVE-2013-0255 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | PostgreSQL |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2013-09-19 | IAVM : 2013-A-0179 - Apple Mac OS X Security Update 2013-004 Severity : Category I - VMSKEY : V0040373 |
2013-04-11 | IAVM : 2013-B-0035 - Multiple Vulnerabilities in PostgreSQL Severity : Category I - VMSKEY : V0037619 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | PostgreSQL database name command line injection attempt RuleID : 26586 - Revision : 4 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-15.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-307.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-306.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-139.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-244.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131029_postgresql_and_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-30 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1475.nasl - Type : ACT_GATHER_INFO |
2013-10-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1475.nasl - Type : ACT_GATHER_INFO |
2013-10-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1475.nasl - Type : ACT_GATHER_INFO |
2013-09-17 | Name : The remote host is missing a security update for OS X Server. File : macosx_server_2_2_2.nasl - Type : ACT_GATHER_INFO |
2013-09-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_8_5.nasl - Type : ACT_GATHER_INFO |
2013-09-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-004.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-178.nasl - Type : ACT_GATHER_INFO |
2013-04-22 | Name : The remote Fedora host is missing a security update. File : fedora_2013-6148.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-142.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote database server is affected by a file deletion vulnerability. File : postgresql_cve20131899.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote database server is affected by a denial of service vulnerability. File : postgresql_cve20131901.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote database server is affected by an issue in the random number gener... File : postgresql_cve20131900.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_3f332f169b6b11e28fe908002798f6ff.nasl - Type : ACT_GATHER_INFO |
2013-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2013-5000.nasl - Type : ACT_GATHER_INFO |
2013-04-07 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libecpg6-130402.nasl - Type : ACT_GATHER_INFO |
2013-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2013-4951.nasl - Type : ACT_GATHER_INFO |
2013-04-05 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1789-1.nasl - Type : ACT_GATHER_INFO |
2013-04-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2657.nasl - Type : ACT_GATHER_INFO |
2013-03-26 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libecpg6-130213.nasl - Type : ACT_GATHER_INFO |
2013-03-26 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-130213.nasl - Type : ACT_GATHER_INFO |
2013-02-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2630.nasl - Type : ACT_GATHER_INFO |
2013-02-18 | Name : The remote database server is affected by a denial of service vulnerability. File : postgresql_20130207.nasl - Type : ACT_GATHER_INFO |
2013-02-18 | Name : The remote Fedora host is missing a security update. File : fedora_2013-2152.nasl - Type : ACT_GATHER_INFO |
2013-02-17 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-012.nasl - Type : ACT_GATHER_INFO |
2013-02-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1717-1.nasl - Type : ACT_GATHER_INFO |
2013-02-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-2123.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:43:45 |
|
2013-04-11 21:18:43 |
|