Mandriva Linux Security Advisory : postgresql (MDVSA-2012:026)

medium Nessus Plugin ID 58177

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Multiple vulnerabilities has been discovered and corrected in postgresql :

Permissions on a function called by a trigger are not properly checked (CVE-2012-0866).

SSL certificate name checks are truncated to 32 characters, allowing connection spoofing under some circumstances when using third-party certificate authorities (CVE-2012-0867).

Line breaks in object names can be exploited to execute arbitrary SQL when reloading a pg_dump file (CVE-2012-0868).

This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.

Solution

Update the affected packages.

See Also

http://www.postgresql.org/docs/9.0/static/release-9-0-7.html

Plugin Details

Severity: Medium

ID: 58177

File Name: mandriva_MDVSA-2012-026.nasl

Version: 1.15

Type: local

Published: 3/1/2012

Updated: 1/6/2021

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64ecpg8.4_6, p-cpe:/a:mandriva:linux:lib64ecpg9.0_6, p-cpe:/a:mandriva:linux:lib64pq8.4_5, p-cpe:/a:mandriva:linux:lib64pq9.0_5, p-cpe:/a:mandriva:linux:libecpg8.4_6, p-cpe:/a:mandriva:linux:libecpg9.0_6, p-cpe:/a:mandriva:linux:libpq8.4_5, p-cpe:/a:mandriva:linux:libpq9.0_5, p-cpe:/a:mandriva:linux:postgresql8.4, p-cpe:/a:mandriva:linux:postgresql8.4-contrib, p-cpe:/a:mandriva:linux:postgresql8.4-devel, p-cpe:/a:mandriva:linux:postgresql8.4-docs, p-cpe:/a:mandriva:linux:postgresql8.4-pl, p-cpe:/a:mandriva:linux:postgresql8.4-plperl, p-cpe:/a:mandriva:linux:postgresql8.4-plpgsql, p-cpe:/a:mandriva:linux:postgresql8.4-plpython, p-cpe:/a:mandriva:linux:postgresql8.4-pltcl, p-cpe:/a:mandriva:linux:postgresql8.4-server, p-cpe:/a:mandriva:linux:postgresql9.0, p-cpe:/a:mandriva:linux:postgresql9.0-contrib, p-cpe:/a:mandriva:linux:postgresql9.0-devel, p-cpe:/a:mandriva:linux:postgresql9.0-docs, p-cpe:/a:mandriva:linux:postgresql9.0-pl, p-cpe:/a:mandriva:linux:postgresql9.0-plperl, p-cpe:/a:mandriva:linux:postgresql9.0-plpgsql, p-cpe:/a:mandriva:linux:postgresql9.0-plpython, p-cpe:/a:mandriva:linux:postgresql9.0-pltcl, p-cpe:/a:mandriva:linux:postgresql9.0-server, cpe:/o:mandriva:linux:2010.1, cpe:/o:mandriva:linux:2011

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/29/2012

Reference Information

CVE: CVE-2012-0866, CVE-2012-0867, CVE-2012-0868

BID: 52188

MDVSA: 2012:026