Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : postgresql-8.4, postgresql-9.1 vulnerabilities (USN-2120-1)

Ubuntu Security Notice (C) 2014-2016 Canonical, Inc. / NASL script (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related
patches.

Description :

Noah Misch and Jonas Sundman discovered that PostgreSQL did not
correctly enforce ADMIN OPTION restrictions. An authenticated attacker
could use this issue to possibly revoke access from others, contrary
to expected permissions. (CVE-2014-0060)

Andres Freund discovered that PostgreSQL incorrectly handled validator
functions. An authenticated attacker could possibly use this issue to
escalate their privileges. (CVE-2014-0061)

Andres Freund discovered that PostgreSQL incorrectly handled
concurrent CREATE INDEX statements. An authenticated attacker could
possibly use this issue to obtain access to restricted data, bypassing
intended privileges. (CVE-2014-0062)

Daniel Schussler discovered that PostgreSQL incorrectly handled
datetime input. An authenticated attacker could possibly use this
issue to cause PostgreSQL to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2014-0063)

It was discovered that PostgreSQL incorrectly handled certain size
calculations. An authenticated attacker could possibly use this issue
to cause PostgreSQL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2014-0064)

Peter Eisentraut and Jozef Mlich discovered that PostgreSQL
incorrectly handled certain buffer sizes. An authenticated attacker
could possibly use this issue to cause PostgreSQL to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2014-0065)

Honza Horak discovered that PostgreSQL incorrectly used the crypt()
library function. This issue could possibly cause PostgreSQL to crash,
resulting in a denial of service (CVE-2014-0066).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected postgresql-8.4 and / or postgresql-9.1 packages.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 5.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 72682 ()

Bugtraq ID: 65719
65723
65724
65725
65727
65728
65731

CVE ID: CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial