Mandriva Linux Security Advisory : postgresql (MDVSA-2012:092)

This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities has been discovered and corrected in
postgresql :

Fix incorrect password transformation in contrib/pgcrypto's DES
crypt() function (Solar Designer). If a password string contained the
byte value 0x80, the remainder of the password was ignored, causing
the password to be much weaker than it appeared. With this fix, the
rest of the string is properly included in the DES hash. Any stored
password values that are affected by this bug will thus no longer
match, so the stored values may need to be updated (CVE-2012-2143).

Ignore SECURITY DEFINER and SET attributes for a procedural language's
call handler (Tom Lane). Applying such attributes to a call handler
could crash the server (CVE-2012-2655).

This advisory provides the latest versions of PostgreSQL that is not
vulnerable to these issues.

See also :

http://www.postgresql.org/docs/8.3/static/release-8-3-19.html
http://www.postgresql.org/docs/8.4/static/release-8-4-12.html
http://www.postgresql.org/docs/9.0/static/release-9-0-8.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 5.7
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 59518 ()

Bugtraq ID: 53729
53812

CVE ID: CVE-2012-0866
CVE-2012-2143
CVE-2012-2655

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now