PostgreSQL 8.4.x < 8.4.20 / 9.0.x < 9.0.16 / 9.1.x < 9.1.12 / 9.2.x < 9.2.7 / 9.3.x < 9.3.3 Multiple Vulnerabilities

Medium

Synopsis

The database running on the remote server is affected by multiple vulnerabilities.

Description

The version of PostgreSQL installed on the remote host is 8.4.x prior to 8.4.20, 9.0.x prior to 9.0.16, 9.1.x prior to 9.1.12, 9.2.x prior to 9.2.7 or 9.3.x prior to 9.3.3 and is potentially affected by multiple vulnerabilities :

- SET ROLE bypasses lack of ADMIN OPTION when granting roles. (CVE-2014-0060)

- It is possible to elevate privileges via calls to validator functions. (CVE-2014-0061)

- It is possible to elevate privileges via a race condition in CREATE INDEX. (CVE-2014-0062)

- Potential buffer overruns exist due to integer overflow in size calculations. (CVE-2014-0063)

- Potential buffer overruns exist in datetime input/output. (CVE-2014-0064)

- Multiple fixed-size buffers exist that could potentially be overflowed. (CVE-2014-0065)

- A potential NULL pointer dereference crash is possible when crypt(3) returns NULL. (CVE-2014-0066)

- Multiple integer overflow vulnerabilities exist in 'hstore_io.c'. (CVE-2014-2669)

Solution

Upgrade to PostgreSQL 8.4.20 / 9.0.16 / 9.1.12 / 9.2.7 / 9.3.3, or later.