SB2013040402 - Permissions, Privileges, and Access Controls in PostgreSQL

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-1901)

The vulnerability allows a remote #AU# to manipulate data.

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. Per http://www.ubuntu.com/usn/USN-1789-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS Ubuntu 8.04 LTS"

Remediation

Install update from vendor's website.

References

• http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
• http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
• http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
• http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
• http://support.apple.com/kb/HT5880
• http://support.apple.com/kb/HT5892
• http://www.debian.org/security/2013/dsa-2658
• http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
• http://www.postgresql.org/about/news/1456/
• http://www.postgresql.org/docs/current/static/release-9-1-9.html
• http://www.postgresql.org/docs/current/static/release-9-2-4.html
• http://www.ubuntu.com/usn/USN-1789-1