Mandrake Linux Security Advisory : postgresql (MDKSA-2007:188)

Critical Nessus Plugin ID 26188


The remote Mandrake Linux host is missing one or more security updates.


PostgreSQL 8.1 and probably later and earlier versions, when local trust authentication is enabled and the Database Link library (dblink) is installed, allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries via a dblink host parameter that proxies the connection from (CVE-2007-3278)

PostgreSQL 8.1 and probably later and earlier versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileges to the PUBLIC domain, which allows remote attackers to create and execute functions, as demonstrated by functions that perform local brute-force password guessing attacks, which may evade intrusion detection. (CVE-2007-3279)

The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in to gain shell access. (CVE-2007-3280)

Updated packages fix these issues, by requiring non-superusers who use /contrib/dblink to use only password authentication.


Update the affected packages.

Plugin Details

Severity: Critical

ID: 26188

File Name: mandrake_MDKSA-2007-188.nasl

Version: $Revision: 1.13 $

Type: local

Published: 2007/09/26

Modified: 2013/06/01

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64ecpg5, p-cpe:/a:mandriva:linux:lib64ecpg5-devel, p-cpe:/a:mandriva:linux:lib64pq4, p-cpe:/a:mandriva:linux:lib64pq4-devel, p-cpe:/a:mandriva:linux:lib64pq5, p-cpe:/a:mandriva:linux:lib64pq5-devel, p-cpe:/a:mandriva:linux:libecpg5, p-cpe:/a:mandriva:linux:libecpg5-devel, p-cpe:/a:mandriva:linux:libpq4, p-cpe:/a:mandriva:linux:libpq4-devel, p-cpe:/a:mandriva:linux:libpq5, p-cpe:/a:mandriva:linux:libpq5-devel, p-cpe:/a:mandriva:linux:postgresql, p-cpe:/a:mandriva:linux:postgresql-contrib, p-cpe:/a:mandriva:linux:postgresql-devel, p-cpe:/a:mandriva:linux:postgresql-docs, p-cpe:/a:mandriva:linux:postgresql-pl, p-cpe:/a:mandriva:linux:postgresql-plperl, p-cpe:/a:mandriva:linux:postgresql-plpgsql, p-cpe:/a:mandriva:linux:postgresql-plpython, p-cpe:/a:mandriva:linux:postgresql-pltcl, p-cpe:/a:mandriva:linux:postgresql-server, p-cpe:/a:mandriva:linux:postgresql-test, cpe:/o:mandriva:linux:2007, cpe:/o:mandriva:linux:2007.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2007/09/25

Reference Information

CVE: CVE-2007-3278, CVE-2007-3279, CVE-2007-3280

MDKSA: 2007:188

CWE: 264