FreeBSD : PostgreSQL -- multiple privilege issues (42d42090-9a4d-11e3-b029-08002798f6ff)
Medium Nessus Plugin ID 72612
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionPostgreSQL Project reports :
This update fixes CVE-2014-0060, in which PostgreSQL did not properly enforce the WITH ADMIN OPTION permission for ROLE management. Before this fix, any member of a ROLE was able to grant others access to the same ROLE regardless if the member was given the WITH ADMIN OPTION permission. It also fixes multiple privilege escalation issues, including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065, and CVE-2014-0066. More information on these issues can be found on our security page and the security issue detail wiki page.
With this release, we are also alerting users to a known security hole that allows other users on the same machine to gain access to an operating system account while it is doing 'make check' :
CVE-2014-0067. 'Make check' is normally part of building PostgreSQL from source code. As it is not possible to fix this issue without causing significant issues to our testing infrastructure, a patch will be released separately and publicly. Until then, users are strongly advised not to run 'make check' on machines where untrusted users have accounts.
SolutionUpdate the affected packages.