PostgreSQL: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200502-08 / postgresql |
| Release Date |
February 07, 2005 |
| Latest Revision |
June 26, 2007: 06 |
| Impact |
normal |
| Exploitable |
remote and local |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| dev-db/postgresql |
<
7.3.10,
<
7.4.7,
<
8.0.1 |
=
7.3*,
=
7.4*,
>=
8.0.1 |
All supported architectures
|
Related bugreports:
#80342
Synopsis
PostgreSQL contains several vulnerabilities which could lead to execution
of arbitrary code, Denial of Service and security bypass.
2.
Impact Information
Background
PostgreSQL is a SQL compliant, open source object-relational database
management system.
Description
PostgreSQL's contains several vulnerabilities:
- John Heasman discovered that the LOAD extension is vulnerable to
local privilege escalation (CAN-2005-0227).
- It is possible to bypass the EXECUTE permission check for functions
(CAN-2005-0244).
- The PL/PgSQL parser is vulnerable to heap-based buffer overflow
(CAN-2005-0244).
- The intagg contrib module is vulnerable to a Denial of Service
(CAN-2005-0246).
Impact
An attacker could exploit this to execute arbitrary code with the
privileges of the PostgreSQL server, bypass security restrictions and
crash the server.
3.
Resolution Information
Workaround
There is no know workaround at this time.
Resolution
All PostgreSQL users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose dev-db/postgresql
|
4.
References
|
