SB2013040501 - SUSE Linux update for PostgreSQL
Published: April 5, 2013
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2013-1899)
The vulnerability allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).
2) Input validation error (CVE-ID: CVE-2013-1900)
The vulnerability allows a remote #AU# to execute arbitrary code.
PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." Per http://www.ubuntu.com/usn/USN-1789-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS Ubuntu 8.04 LTS"
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-1901)
The vulnerability allows a remote #AU# to manipulate data.
PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. Per http://www.ubuntu.com/usn/USN-1789-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS Ubuntu 8.04 LTS"
Remediation
Install update from vendor's website.