Summary: | <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13,8.4.17}: Multiple vulnerabilities (CVE-2013-{1899,1900,1901}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mike Doty (RETIRED) <kingtaco> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | adrian, alexander, ap, betelgeuse, bug, ct, mschiff, pgsql-bugs, slawomir.nizio |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.postgresql.org/support/security/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Mike Doty (RETIRED)
2013-03-30 16:00:51 UTC
PostgreSQL does not yet need to be masked. The vulnerability is not public, yet. Patrick or I will bump it as soon as we see the tarballs available upstream, which is usually a day before an announcement. We do expect to be quick about it, all of us collectively. You know, like Gentoo penguins. Any news? The update isn't out yet but will be released today. According to the #postgresql channel Debian, FreeBSD, etc. people already got the update to spread it to their mirrors etc. So if Gentoo was just as quick once it's out it would be surely great Hey, guys! How about bump? http://www.postgresql.org/about/news/1456/ QA: One of you available to bump? Working on this now. Was released 2 hours ago while I was at work. I'm on lunch now and it will get bumped shortly. CVE-2013-1899 <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13} ------------------------------------------------------------ A connection request containing a database name that begins with "-" may be crafted to damage or destroy files within a server's data directory. CVE-2013-1900 <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13,8.4.17} ------------------------------------------------------------------- Random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess CVE-2013-1901 <dev-db/postgresql-server-{9.2.4,9.1.9} ----------------------------------------------------- An unprivileged user can run commands that could interfere with in-progress backups. Stabilization targets: =dev-db/postgresql-docs-8.4.17 =dev-db/postgresql-docs-9.0.13 =dev-db/postgresql-docs-9.1.9 =dev-db/postgresql-docs-9.2.4 =dev-db/postgresql-base-8.4.17 =dev-db/postgresql-base-9.0.13 =dev-db/postgresql-base-9.1.9 =dev-db/postgresql-base-9.2.4 =dev-db/postgresql-server-8.4.17 =dev-db/postgresql-server-9.0.13 =dev-db/postgresql-server-9.1.9 =dev-db/postgresql-server-9.2.4 Thanks Aaron. I thought that maybe no-one was actively available to look at the issue when it was indicated that the tarballs would have been out for some time now. (In reply to comment #8) > Thanks Aaron. I thought that maybe no-one was actively available to look at > the issue when it was indicated that the tarballs would have been out for > some time now. No problem. The tarballs did become available shortly before the announcement. I'm not sure how much earlier, but probably less than half an hour. amd64 stable x86 stable ppc stable ppc64 stable CVE-2013-{1902,1903} do not affect us. We do not use EnterpriseDB's installers. Stable for HPPA. alpha stable ia64 stable arm stable s390 stable sh stable sparc stable Removal of vulnerable, done. Security, please vote. GLSA vote: yes. CVE-2013-1901 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1901): PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. CVE-2013-1900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1900): PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." CVE-2013-1899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1899): Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen). On GLSA draft. This issue was resolved and addressed in GLSA 201408-15 at http://security.gentoo.org/glsa/glsa-201408-15.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |