CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
EPSS
Percentile
78.2%
Gerfried Fuchs uploaded new packages for postgresql-8.4 which fixed the
following security problems:
CVE-2010-1169
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta
before 9.0 Beta 2 does not properly restrict PL/perl procedures, which
allows remote authenticated users, with database-creation privileges,
to execute arbitrary Perl code via a crafted script, related to the
Safe module (aka Safe.pm) for Perl.
CVE-2010-1170
The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before
8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4
before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the
pltcl_modules table regardless of the table's ownership and
permissions, which allows remote authenticated users, with
database-creation privileges, to execute arbitrary Tcl code by
creating this table and inserting a crafted Tcl script.
CVE-2010-1975
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not
properly check privileges during certain RESET ALL operations, which
allows remote authenticated users to remove arbitrary parameter
settings via a (1) ALTER USER or (2) ALTER DATABASE statement.
For the lenny-backports distribution the problems have been fixed in
version 8.4.4-1~bpo50+1.
For the squeeze and sid distributions the problems have been fixed in
version 8.4.4-1.
If you don't use pinning (see [1]) you have to update the packages
manually via "apt-get -t lenny-backports install <packagelist>" with the
packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>
We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
Attachment:
signature.asc
Description: Digital signature