Mandriva Linux Security Advisory : postgresql (MDVSA-2013:142)

High Nessus Plugin ID 66154


The remote Mandriva Linux host is missing one or more security updates.


Multiple vulnerabilities has been discovered and corrected in postgresql :

PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read (CVE-2013-0255).

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a - (hyphen) (CVE-2013-1899).

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the contrib/pgcrypto functions. (CVE-2013-1900).

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions (CVE-2013-1901).

This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 66154

File Name: mandriva_MDVSA-2013-142.nasl

Version: $Revision: 1.10 $

Type: local

Published: 2013/04/20

Modified: 2015/01/14

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64ecpg9.2_6, p-cpe:/a:mandriva:linux:lib64pq9.2_5, p-cpe:/a:mandriva:linux:postgresql9.2, p-cpe:/a:mandriva:linux:postgresql9.2-contrib, p-cpe:/a:mandriva:linux:postgresql9.2-devel, p-cpe:/a:mandriva:linux:postgresql9.2-docs, p-cpe:/a:mandriva:linux:postgresql9.2-pl, p-cpe:/a:mandriva:linux:postgresql9.2-plperl, p-cpe:/a:mandriva:linux:postgresql9.2-plpgsql, p-cpe:/a:mandriva:linux:postgresql9.2-plpython, p-cpe:/a:mandriva:linux:postgresql9.2-pltcl, p-cpe:/a:mandriva:linux:postgresql9.2-server, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/04/11

Reference Information

CVE: CVE-2013-0255, CVE-2013-1899, CVE-2013-1900, CVE-2013-1901

BID: 57844, 58876, 58878, 58879

MDVSA: 2013:142