AmazonALAS-2013-178Critical: postgresql9
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%
Issue Overview:
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a “-” (hyphen).
PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions.
PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the “contrib/pgcrypto functions.”
Affected Packages:
postgresql9
Issue Correction:
Run yum update postgresql9 to update your system.
New Packages:
i686:
postgresql9-libs-9.2.4-1.35.amzn1.i686
postgresql9-plperl-9.2.4-1.35.amzn1.i686
postgresql9-docs-9.2.4-1.35.amzn1.i686
postgresql9-contrib-9.2.4-1.35.amzn1.i686
postgresql9-pltcl-9.2.4-1.35.amzn1.i686
postgresql9-test-9.2.4-1.35.amzn1.i686
postgresql9-devel-9.2.4-1.35.amzn1.i686
postgresql9-9.2.4-1.35.amzn1.i686
postgresql9-plpython-9.2.4-1.35.amzn1.i686
postgresql9-upgrade-9.2.4-1.35.amzn1.i686
postgresql9-debuginfo-9.2.4-1.35.amzn1.i686
postgresql9-server-9.2.4-1.35.amzn1.i686
src:
postgresql9-9.2.4-1.35.amzn1.src
x86_64:
postgresql9-test-9.2.4-1.35.amzn1.x86_64
postgresql9-server-9.2.4-1.35.amzn1.x86_64
postgresql9-docs-9.2.4-1.35.amzn1.x86_64
postgresql9-debuginfo-9.2.4-1.35.amzn1.x86_64
postgresql9-pltcl-9.2.4-1.35.amzn1.x86_64
postgresql9-upgrade-9.2.4-1.35.amzn1.x86_64
postgresql9-devel-9.2.4-1.35.amzn1.x86_64
postgresql9-libs-9.2.4-1.35.amzn1.x86_64
postgresql9-plperl-9.2.4-1.35.amzn1.x86_64
postgresql9-9.2.4-1.35.amzn1.x86_64
postgresql9-plpython-9.2.4-1.35.amzn1.x86_64
postgresql9-contrib-9.2.4-1.35.amzn1.x86_64
Additional References
Red Hat: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901
Mitre: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 1 | i686 | postgresql9-libs | < 9.2.4-1.35.amzn1 | postgresql9-libs-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-plperl | < 9.2.4-1.35.amzn1 | postgresql9-plperl-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-docs | < 9.2.4-1.35.amzn1 | postgresql9-docs-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-contrib | < 9.2.4-1.35.amzn1 | postgresql9-contrib-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-pltcl | < 9.2.4-1.35.amzn1 | postgresql9-pltcl-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-test | < 9.2.4-1.35.amzn1 | postgresql9-test-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-devel | < 9.2.4-1.35.amzn1 | postgresql9-devel-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9 | < 9.2.4-1.35.amzn1 | postgresql9-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-plpython | < 9.2.4-1.35.amzn1 | postgresql9-plpython-9.2.4-1.35.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | postgresql9-upgrade | < 9.2.4-1.35.amzn1 | postgresql9-upgrade-9.2.4-1.35.amzn1.i686.rpm |
Related
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%