Executive Summary
Summary | |
---|---|
Title | postgresql and postgresql84 security update |
Informations | |||
---|---|---|---|
Name | RHSA-2012:1037 | First vendor Publication | 2012-06-25 |
Vendor | RedHat | Last vendor Modification | 2012-06-25 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated postgresql84 and postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources. (CVE-2012-2143) Note: With this update, the rest of the string is properly included in the DES hash; therefore, any previously stored password values that are affected by this issue will no longer match. In such cases, it will be necessary for those stored password hashes to be updated. A denial of service flaw was found in the way the PostgreSQL server performed a user privileges check when applying SECURITY DEFINER or SET attributes to a procedural language's (such as PL/Perl or PL/Python) call handler function. A non-superuser database owner could use this flaw to cause the PostgreSQL server to crash due to infinite recursion. (CVE-2012-2655) Upstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters of the CVE-2012-2143 issue. These updated packages upgrade PostgreSQL to version 8.4.12, which fixes these issues as well as several non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 816956 - CVE-2012-2143 BSD crypt(): DES encrypted password weakness 825995 - CVE-2012-2655 postgresql: Ability of database owners to install procedural languages via CREATE LANGUAGE found unsafe (DoS) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2012-1037.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-399 | Resource Management Errors |
50 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17690 | |||
Oval ID: | oval:org.mitre.oval:def:17690 | ||
Title: | USN-1461-1 -- postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities | ||
Description: | PostgreSQL could be made to crash or incorrectly handle authentication. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1461-1 CVE-2012-2143 CVE-2012-2655 | Version: | 7 |
Platform(s): | Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | postgresql-9.1 postgresql-8.4 postgresql-8.3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18544 | |||
Oval ID: | oval:org.mitre.oval:def:18544 | ||
Title: | DSA-2491-1 postgresql-8.4 - several | ||
Description: | Two vulnerabilities were discovered in PostgreSQL, an SQL database server. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2491-1 CVE-2012-2143 CVE-2012-2655 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | postgresql-8.4 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21377 | |||
Oval ID: | oval:org.mitre.oval:def:21377 | ||
Title: | RHSA-2012:1036: postgresql security update (Moderate) | ||
Description: | The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1036-00 CESA-2012:1036 CVE-2012-2143 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | postgresql |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23044 | |||
Oval ID: | oval:org.mitre.oval:def:23044 | ||
Title: | ELSA-2012:1036: postgresql security update (Moderate) | ||
Description: | The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1036-00 CVE-2012-2143 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | postgresql |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27122 | |||
Oval ID: | oval:org.mitre.oval:def:27122 | ||
Title: | DEPRECATED: ELSA-2012-1036 -- postgresql security update (moderate) | ||
Description: | [8.1.23-5] - Back-port upstream fix for CVE-2012-2143 Resolves: #830721 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1036 CVE-2012-2143 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | postgresql |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-10-03 | Name : Gentoo Security Advisory GLSA 201209-24 (PostgreSQL) File : nvt/glsa_201209_24.nasl |
2012-09-26 | Name : Gentoo Security Advisory GLSA 201209-03 (php) File : nvt/glsa_201209_03.nasl |
2012-09-25 | Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2012-004) File : nvt/gb_macosx_su12-004.nasl |
2012-08-30 | Name : Fedora Update for postgresql FEDORA-2012-12165 File : nvt/gb_fedora_2012_12165_postgresql_fc17.nasl |
2012-08-30 | Name : Fedora Update for php FEDORA-2012-9490 File : nvt/gb_fedora_2012_9490_php_fc17.nasl |
2012-08-30 | Name : Fedora Update for maniadrive FEDORA-2012-9490 File : nvt/gb_fedora_2012_9490_maniadrive_fc17.nasl |
2012-08-30 | Name : Fedora Update for postgresql FEDORA-2012-8924 File : nvt/gb_fedora_2012_8924_postgresql_fc17.nasl |
2012-08-30 | Name : Fedora Update for postgresql FEDORA-2012-12156 File : nvt/gb_fedora_2012_12156_postgresql_fc16.nasl |
2012-08-30 | Name : Fedora Update for php FEDORA-2012-10936 File : nvt/gb_fedora_2012_10936_php_fc17.nasl |
2012-08-10 | Name : FreeBSD Ports: FreeBSD File : nvt/freebsd_FreeBSD18.nasl |
2012-08-10 | Name : Debian Security Advisory DSA 2491-1 (postgresql-8.4) File : nvt/deb_2491_1.nasl |
2012-08-06 | Name : Fedora Update for php FEDORA-2012-10908 File : nvt/gb_fedora_2012_10908_php_fc16.nasl |
2012-08-03 | Name : Mandriva Update for php MDVSA-2012:093 (php) File : nvt/gb_mandriva_MDVSA_2012_093.nasl |
2012-08-03 | Name : Mandriva Update for postgresql MDVSA-2012:092 (postgresql) File : nvt/gb_mandriva_MDVSA_2012_092.nasl |
2012-07-30 | Name : CentOS Update for postgresql84 CESA-2012:1037 centos5 File : nvt/gb_CESA-2012_1037_postgresql84_centos5.nasl |
2012-07-30 | Name : CentOS Update for postgresql CESA-2012:1036 centos5 File : nvt/gb_CESA-2012_1036_postgresql_centos5.nasl |
2012-07-30 | Name : CentOS Update for postgresql CESA-2012:1037 centos6 File : nvt/gb_CESA-2012_1037_postgresql_centos6.nasl |
2012-07-30 | Name : CentOS Update for php CESA-2012:1046 centos6 File : nvt/gb_CESA-2012_1046_php_centos6.nasl |
2012-07-30 | Name : CentOS Update for php53 CESA-2012:1047 centos5 File : nvt/gb_CESA-2012_1047_php53_centos5.nasl |
2012-07-03 | Name : Fedora Update for maniadrive FEDORA-2012-9762 File : nvt/gb_fedora_2012_9762_maniadrive_fc16.nasl |
2012-07-03 | Name : Fedora Update for php-eaccelerator FEDORA-2012-9762 File : nvt/gb_fedora_2012_9762_php-eaccelerator_fc16.nasl |
2012-07-03 | Name : Fedora Update for php FEDORA-2012-9762 File : nvt/gb_fedora_2012_9762_php_fc16.nasl |
2012-06-28 | Name : RedHat Update for postgresql and postgresql84 RHSA-2012:1037-01 File : nvt/gb_RHSA-2012_1037-01_postgresql_and_postgresql84.nasl |
2012-06-28 | Name : RedHat Update for postgresql RHSA-2012:1036-01 File : nvt/gb_RHSA-2012_1036-01_postgresql.nasl |
2012-06-28 | Name : RedHat Update for php53 RHSA-2012:1047-01 File : nvt/gb_RHSA-2012_1047-01_php53.nasl |
2012-06-28 | Name : RedHat Update for php RHSA-2012:1046-01 File : nvt/gb_RHSA-2012_1046-01_php.nasl |
2012-06-22 | Name : Ubuntu Update for php5 USN-1481-1 File : nvt/gb_ubuntu_USN_1481_1.nasl |
2012-06-19 | Name : Fedora Update for postgresql FEDORA-2012-8915 File : nvt/gb_fedora_2012_8915_postgresql_fc15.nasl |
2012-06-19 | Name : Fedora Update for postgresql FEDORA-2012-8893 File : nvt/gb_fedora_2012_8893_postgresql_fc16.nasl |
2012-06-08 | Name : Ubuntu Update for postgresql-9.1 USN-1461-1 File : nvt/gb_ubuntu_USN_1461_1.nasl |
2012-05-31 | Name : FreeBSD Ports: postgresql-server File : nvt/freebsd_postgresql-server1.nasl |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | PHP truncated crypt function attempt RuleID : 23896 - Revision : 4 - Type : SERVER-WEBAPP |
2014-01-10 | PHP truncated crypt function attempt RuleID : 23895 - Revision : 5 - Type : SERVER-WEBAPP |
2014-01-10 | truncated crypt function attempt RuleID : 23894 - Revision : 7 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2012-1336-1.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-675.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-667.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-650.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-365.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-94.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-91.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-95.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1047.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1046.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1037.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1036.nasl - Type : ACT_GATHER_INFO |
2013-06-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1047.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postgresql-120820.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_apache2-mod_php53-120618.nasl - Type : ACT_GATHER_INFO |
2012-12-28 | Name : The remote database server is affected by multiple vulnerabilities. File : postgresql_20120604.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postgresql-8311.nasl - Type : ACT_GATHER_INFO |
2012-09-29 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201209-24.nasl - Type : ACT_GATHER_INFO |
2012-09-24 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201209-03.nasl - Type : ACT_GATHER_INFO |
2012-09-20 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_8_2.nasl - Type : ACT_GATHER_INFO |
2012-09-20 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2012-004.nasl - Type : ACT_GATHER_INFO |
2012-09-20 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_7_5.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120627_php_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120627_php53_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120625_postgresql_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120625_postgresql_and_postgresql84_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120625_postgresql_and_postgresql84_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-07-11 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1046.nasl - Type : ACT_GATHER_INFO |
2012-07-03 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2012-9762.nasl - Type : ACT_GATHER_INFO |
2012-07-01 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2012-9490.nasl - Type : ACT_GATHER_INFO |
2012-06-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2491.nasl - Type : ACT_GATHER_INFO |
2012-06-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1047.nasl - Type : ACT_GATHER_INFO |
2012-06-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1046.nasl - Type : ACT_GATHER_INFO |
2012-06-28 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_185ff22ec06611e1b5e0000c299b62e1.nasl - Type : ACT_GATHER_INFO |
2012-06-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1037.nasl - Type : ACT_GATHER_INFO |
2012-06-26 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1037.nasl - Type : ACT_GATHER_INFO |
2012-06-26 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1036.nasl - Type : ACT_GATHER_INFO |
2012-06-26 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1036.nasl - Type : ACT_GATHER_INFO |
2012-06-20 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1481-1.nasl - Type : ACT_GATHER_INFO |
2012-06-18 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8893.nasl - Type : ACT_GATHER_INFO |
2012-06-18 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8915.nasl - Type : ACT_GATHER_INFO |
2012-06-18 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8924.nasl - Type : ACT_GATHER_INFO |
2012-06-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-092.nasl - Type : ACT_GATHER_INFO |
2012-06-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-093.nasl - Type : ACT_GATHER_INFO |
2012-06-15 | Name : The remote web server uses a version of PHP that is affected by multiple vuln... File : php_5_3_14.nasl - Type : ACT_GATHER_INFO |
2012-06-15 | Name : The remote web server uses a version of PHP that is affected by multiple vuln... File : php_5_4_4.nasl - Type : ACT_GATHER_INFO |
2012-06-06 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1461-1.nasl - Type : ACT_GATHER_INFO |
2012-05-31 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_a8864f8faa9e11e1a2840023ae8e59f0.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:56:06 |
|