Mandrake Linux Security Advisory : postgresql (MDKSA-2007:094)

This script is Copyright (C) 2007-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

A weakness in previous versions of PostgreSQL was found in the
security definer functions in which an authenticated but otherwise
unprivileged SQL user could use temporary objects to execute arbitrary
code with the privileges of the security-definer function.

IMPORTANT NOTICE FOR CORPORATE SERVER/DESKTOP 3.0 USERS :

In addition, packages for Corporate Server/Desktop 3.0 have been
updated to the latest PostgreSQL 7.4.17 which requires some attention
when upgrading. To take advantage of the new version, and to ensure
data coherency, we strongly recommend dumping the old databases,
re-initializing the database, and then reloading the dumped data. This
can be accomplished as root using :

# service postgresql start # su - postgres $ pg_dumpall
>/tmp/database.dump $ exit # service postgresql stop # mv
/var/lib/pgsql /var/lib/pgsql.bk # urpmi.update -a && urpmi
--auto-select # service postgresql start # service postgresql restart
# su - postgres $ /usr/bin/psql -d template1 -f /tmp/database.dump $
exit

Only Corporate Server/Desktop 3.0 requires the dump/reload steps; the
other Mandriva Linux platforms do not require this step. Notice that
the double-restart of the postgresql service is in fact required.

Updated packages have been patched to correct this issue.

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.0
(CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 25115 (mandrake_MDKSA-2007-094.nasl)

Bugtraq ID:

CVE ID: CVE-2007-2138

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now