Amazon Linux AMI : postgresql9 (ALAS-2013-178)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4,
9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to
cause a denial of service (file corruption), and allows remote
authenticated users to modify configuration settings and execute
arbitrary code, via a connection request using a database name that
begins with a '-' (hyphen).

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly
check REPLICATION privileges, which allows remote authenticated users
to bypass intended backup restrictions by calling the (1)
pg_start_backup or (2) pg_stop_backup functions.

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before
9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates
insufficiently random numbers, which might allow remote authenticated
users to have an unspecified impact via vectors related to the
'contrib/pgcrypto functions.'

See also :

http://www.nessus.org/u?ae39357d

Solution :

Run 'yum update postgresql9' to update your system.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
Public Exploit Available : true

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 69737 ()

Bugtraq ID:

CVE ID: CVE-2013-1899
CVE-2013-1900
CVE-2013-1901