CVE-2010-1975medium
Description
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement.
References
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
http://marc.info/?l=bugtraq&m=134124585221119&w=2
http://secunia.com/advisories/39939
http://www.debian.org/security/2010/dsa-2051
http://www.mandriva.com/security/advisories?name=MDVSA-2010:103
http://www.postgresql.org/docs/current/static/release-7-4-29.html
http://www.postgresql.org/docs/current/static/release-8-0-25.html
http://www.postgresql.org/docs/current/static/release-8-1-21.html
http://www.postgresql.org/docs/current/static/release-8-2-17.html
http://www.postgresql.org/docs/current/static/release-8-3-11.html
http://www.postgresql.org/docs/current/static/release-8-4-4.html
http://www.securityfocus.com/bid/40304
http://www.vupen.com/english/advisories/2010/1207
http://www.vupen.com/english/advisories/2010/1221
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11004