PostgreSQL: Multiple vulnerabilities — GLSA 201209-24

Multiple vulnerabilities have been found in PostgreSQL which may allow a remote attacker to conduct several attacks.

Affected Packages

dev-db/postgresql-server on all architectures
Affected versions < 9.1.5
Unaffected versions >= 9.1.5, revision >= 9.0.9, revision >= 8.4.13, revision >= 8.3.20, revision >= 8.4.17, revision >= 8.4.19, revision >= 9.0.13, revision >= 9.0.14, revision >= 9.0.15, revision >= 8.4.14, revision >= 8.4.15, revision >= 8.4.16, revision >= 9.0.16, revision >= 9.0.17

Background

PostgreSQL is an open source object-relational database management system.

Description

Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could spoof SSL connections. Furthermore, a remote authenticated attacker could cause a Denial of Service, read and write arbitrary files, inject SQL commands into dump scripts, or bypass database restrictions to execute database functions.

A context-dependent attacker could more easily obtain access via authentication attempts with an initial substring of the intended password.

Workaround

There is no known workaround at this time.

Resolution

All PostgreSQL 9.1 server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.1.5"
 

All PostgreSQL 9.0 server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-9.0.9"
 

All PostgreSQL 8.4 server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-8.4.13"
 

All PostgreSQL 8.3 server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-server-8.3.20"
 

References

Release Date
September 28, 2012

Latest Revision
January 20, 2014: 2

Severity
normal

Exploitable
remote

Bugzilla entries