Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : postgresql-8.4, postgresql-9.1 vulnerabilities (USN-2120-1)

Ubuntu Security Notice (C) 2014 Canonical, Inc. / NASL script (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Noah Misch and Jonas Sundman discovered that PostgreSQL did not
correctly enforce ADMIN OPTION restrictions. An authenticated attacker
could use this issue to possibly revoke access from others, contrary
to expected permissions. (CVE-2014-0060)

Andres Freund discovered that PostgreSQL incorrectly handled validator
functions. An authenticated attacker could possibly use this issue to
escalate their privileges. (CVE-2014-0061)

Andres Freund discovered that PostgreSQL incorrectly handled
concurrent CREATE INDEX statements. An authenticated attacker could
possibly use this issue to obtain access to restricted data, bypassing
intended privileges. (CVE-2014-0062)

Daniel Schüssler discovered that PostgreSQL incorrectly handled
datetime input. An authenticated attacker could possibly use this
issue to cause PostgreSQL to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2014-0063)

It was discovered that PostgreSQL incorrectly handled certain size
calculations. An authenticated attacker could possibly use this issue
to cause PostgreSQL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2014-0064)

Peter Eisentraut and Jozef Mlich discovered that PostgreSQL
incorrectly handled certain buffer sizes. An authenticated attacker
could possibly use this issue to cause PostgreSQL to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2014-0065)

Honza Horak discovered that PostgreSQL incorrectly used the crypt()
library function. This issue could possibly cause PostgreSQL to crash,
resulting in a denial of service (CVE-2014-0066).

Solution :

Update the affected postgresql-8.4 and / or postgresql-9.1 packages.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 5.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 72682 ()

Bugtraq ID: 65719
65723
65724
65725
65727
65728
65731

CVE ID: CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066