GLSA-201209-24 : PostgreSQL: Multiple vulnerabilities

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-201209-24
(PostgreSQL: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the CVE identifiers referenced below for details.

Impact :

A remote attacker could spoof SSL connections. Furthermore, a remote
authenticated attacker could cause a Denial of Service, read and write
arbitrary files, inject SQL commands into dump scripts, or bypass
database restrictions to execute database functions.
A context-dependent attacker could more easily obtain access via
authentication attempts with an initial substring of the intended
password.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201209-24.xml

Solution :

All PostgreSQL 9.1 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-9.1.5'
All PostgreSQL 9.0 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-9.0.9'
All PostgreSQL 8.4 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-8.4.13'
All PostgreSQL 8.3 server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-8.3.20'

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Gentoo Local Security Checks

Nessus Plugin ID: 62380 ()

Bugtraq ID: 52188
53729
53812
55072
55074

CVE ID: CVE-2012-0866
CVE-2012-0867
CVE-2012-0868
CVE-2012-2143
CVE-2012-2655
CVE-2012-3488
CVE-2012-3489