Scientific Linux Security Update : postgresql on SL7.x x86_64

High Nessus Plugin ID 105387

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

Security Fix(es) :

- Privilege escalation flaws were found in the initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
(CVE-2017-12172, CVE-2017-15097)

Note: This patch drops the script privileges from root to the postgres user. Therefore, this update works properly only if the postgres user has write access to the postgres' home directory, such as the one in the default configuration (/var/lib/pgsql).

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?a2228206

Plugin Details

Severity: High

ID: 105387

File Name: sl_20171219_postgresql_on_SL7_x.nasl

Version: Revision: 3.5

Type: local

Agent: unix

Published: 2017/12/20

Modified: 2018/02/15

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 6.7

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 2017/12/19

Reference Information

CVE: CVE-2017-12172, CVE-2017-15097