4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.8%
Debian Security Advisory DLA-0019-1
https://wiki.debian.org/LTS
Package : postgresql-8.4
Version : 8.4.22-0+deb6u1
CVE ID : CVE-2014-0067
New upstream minor release. Users should upgrade to this version at their next
scheduled maintenance window.
Noteworthy change:
Secure Unix-domain sockets of temporary postmasters started during make
check (Noah Misch)
Any local user able to access the socket file could connect as the server's
bootstrap superuser, then proceed to execute arbitrary code as the
operating-system user running the test, as we previously noted in
CVE-2014-0067. This change defends against that risk by placing the server's
socket in a temporary, mode 0700 subdirectory of /tmp.
8.4.22 marks the end of life of the PostgreSQL 8.4 branch. No further
releases will be made by the PostgreSQL Global Development Group.
Users of PostgreSQL 8.4 should look into upgrading to a newer PostgreSQL
release. Options are:
Upgrading to Debian 7 (Wheezy), providing postgresql-9.1.
The use of the apt.postgresql.org repository, providing packages for all
active PostgreSQL branches (9.0 up to 9.4 at the time of writing).
See https://wiki.postgresql.org/wiki/Apt for more information about the
repository.
A helper script to activate the repository is provided in
/usr/share/doc/postgresql-8.4/examples/apt.postgresql.org.sh.
An LTS version of 8.4 is in planning that will cover the lifetime of
squeeze-lts. Updates will probably made on a best-effort basis. Users can
take advantage of this, but should still consider upgrading to newer
PostgreSQL versions over the next months.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | all | postgresql-8.4 | < 8.4.22-0+deb6u1 | postgresql-8.4_8.4.22-0+deb6u1_all.deb |