Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PostgreSQL 9.0 < 9.0.23 / 9.1 < 9.1.19 / 9.2 < 9.2.14 / 9.3 < 9.3.10 / 9.4 < 9.4.5 Multiple Vulnerabilities

High

Synopsis

The database running on the remote server is affected by multiple vulnerabilities.

Description

The version of PostgreSQL installed on the remote host is 9.0.x prior to 9.0.23, 9.1.x prior to 9.1.19, 9.2.x prior to 9.2.14, 9.3.x prior to 9.3.10, or 9.4.x prior to 9.4.5 and is affected by multiple vulnerabilities :

- A flaw within the 'crypt()' function included with the optional 'pgCrypto' extension could be exploited to read a few additional bytes of memory. No further details have been provided. (OSVDB 128635) - A flaw exists that is triggered as a function is executed in an outer-subtransaction cursor. This may allow an authenticated attacker to cause a denial of service. (OSVDB 129228) - An overflow condition exists that is triggered as user-supplied input is not properly validated when handling input related to record types, range types, json, jsonb, tsquery, ltxtquery and query_int. This may allow an authenticated attacker to cause a stack-based buffer overflow, resulting in an unspecified impact. (OSVDB 129229) - A flaw exists that is triggered as world-readable permissions are granted to temporary files that are created during a pg_dump with tar-format output. This may allow a local attacker to gain access to sensitive information. (OSVDB 129230) - An overflow condition exists that is triggered as user-supplied input is not properly validated when handling 'SIMILAR TO' and 'LIKE' matching regular expressions. This may allow an authenticated attacker to cause a stack overflow, resulting in a denial of service. (OSVDB 129231)

Solution

Upgrade to PostgreSQL 9.0.23 / 9.1.19 / 9.2.14 / 9.3.10 / 9.4.5, or later.