Amazon Linux AMI : postgresql9 (ALAS-2012-121)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20,
8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not
properly restrict access to files and URLs, which allows remote
authenticated users to modify data, obtain sensitive information, or
trigger outbound traffic to arbitrary external hosts by leveraging (1)
stylesheet commands that are permitted by the libxslt security options
or (2) an xslt_process feature, related to an XML External Entity (aka
XXE) issue.

See also :

http://www.nessus.org/u?498971f2

Solution :

Run 'yum update postgresql9' to update your system.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N)

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 69611 ()

Bugtraq ID:

CVE ID: CVE-2012-3488