Ubuntu 4.10 : postgresql vulnerability (USN-71-1)

Ubuntu Security Notice (C) 2005-2013 Canonical, Inc. / NASL script (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

John Heasman discovered a local privilege escalation in the PostgreSQL
server. Any user could use the LOAD extension to load any shared
library into the PostgreSQL server
the library's initialisation
function was then executed with the permissions of the server.

Now the use of LOAD is restricted to the database superuser (usually
'postgres').

Note: Since there is no way for normal database users to create
arbitrary files, this vulnerability is not exploitable remotely, e. g.
by uploading a shared library in the form of a Binary Large Object
(BLOB) to a public web server.

Solution :

Update the affected packages.

Risk factor :

High

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 20692 ()

Bugtraq ID:

CVE ID: