PostgreSQL 8.3 < 8.3.19 / 8.4 < 8.4.12 / 9.0 < 9.0.8 / 9.1 < 9.1.4 Multiple Vulnerabilities

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by multiple vulnerabilities.

Description :

The version of PostgreSQL installed on the remote host is 8.3.x prior
to 8.3.19, 8.4.x prior to 8.4.12, 9.0.x prior to 9.0.8, or 9.1.x prior
to 9.1.4. As such, it is potentially affected by multiple
vulnerabilities :

- Passwords containing the byte 0x80 passed to the crypt()
function in pgcrypto are incorrectly truncated if DES
encryption was used. (CVE-2012-2143)

- SECURITY_DEFINER and SET attributes on procedural call
handlers are not ignored and can be used to crash the
server. (CVE-2012-2655)

See also :

http://www.postgresql.org/about/news/1398/
http://www.postgresql.org/docs/8.3/static/release-8-3-19.html
http://www.postgresql.org/docs/8.4/static/release-8-4-12.html
http://www.postgresql.org/docs/9.0/static/release-9-0-8.html
http://www.postgresql.org/docs/9.1/static/release-9-1-4.html

Solution :

Upgrade to PostgreSQL 8.3.19 / 8.4.12 / 9.0.8 / 9.1.4 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 63353 ()

Bugtraq ID: 53729
53812

CVE ID: CVE-2012-2143
CVE-2012-2655