Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2020-0365)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2020.0365

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2020-0365)

Resumen: The remote host is missing an update for the 'postgresql9.6, postgresql11' package(s) announced via the MGASA-2020-0365 advisory.

Descripción: Summary:
The remote host is missing an update for the 'postgresql9.6, postgresql11' package(s) announced via the MGASA-2020-0365 advisory.

Vulnerability Insight:
It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14
did not properly sanitize the search_path during logical replication. An
authenticated attacker could use this flaw in an attack similar to
CVE-2018-1058, in order to execute arbitrary SQL command in the context of
the user used for replication. (CVE-2020-14349)

It was found that some PostgreSQL extensions did not use search_path safely
in their installation script. An attacker with sufficient privileges could
use this flaw to trick an administrator into executing a specially crafted
script, during the installation or update of such extension. This affects
PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19,
and before 9.5.23. (CVE-2020-14350)

Affected Software/OS:
'postgresql9.6, postgresql11' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
4.6

CVSS Vector:
AV:N/AC:H/Au:S/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2020-14349
https://security.gentoo.org/glsa/202008-13
https://bugzilla.redhat.com/show_bug.cgi?id=1865744
SuSE Security Announcement: openSUSE-SU-2020:1228 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html
SuSE Security Announcement: openSUSE-SU-2020:1243 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html
SuSE Security Announcement: openSUSE-SU-2020:1244 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html
SuSE Security Announcement: openSUSE-SU-2020:1312 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html
SuSE Security Announcement: openSUSE-SU-2020:1326 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html
https://usn.ubuntu.com/4472-1/
Common Vulnerability Exposure (CVE) ID: CVE-2020-14350
Debian Security Information: [debian-lts-announce] 20200817 [SECURITY] [DLA 2331-1] posgresql-9.6 security update (Google Search)
https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html
https://bugzilla.redhat.com/show_bug.cgi?id=1865746
SuSE Security Announcement: openSUSE-SU-2020:1227 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2020.0365
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2020-0365)
Resumen:	The remote host is missing an update for the 'postgresql9.6, postgresql11' package(s) announced via the MGASA-2020-0365 advisory.
Descripción:	Summary: The remote host is missing an update for the 'postgresql9.6, postgresql11' package(s) announced via the MGASA-2020-0365 advisory. Vulnerability Insight: It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. (CVE-2020-14349) It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. (CVE-2020-14350) Affected Software/OS: 'postgresql9.6, postgresql11' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 4.6 CVSS Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2020-14349 https://security.gentoo.org/glsa/202008-13 https://bugzilla.redhat.com/show_bug.cgi?id=1865744 SuSE Security Announcement: openSUSE-SU-2020:1228 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html SuSE Security Announcement: openSUSE-SU-2020:1243 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html SuSE Security Announcement: openSUSE-SU-2020:1244 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html SuSE Security Announcement: openSUSE-SU-2020:1312 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html SuSE Security Announcement: openSUSE-SU-2020:1326 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html https://usn.ubuntu.com/4472-1/ Common Vulnerability Exposure (CVE) ID: CVE-2020-14350 Debian Security Information: [debian-lts-announce] 20200817 [SECURITY] [DLA 2331-1] posgresql-9.6 security update (Google Search) https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html https://bugzilla.redhat.com/show_bug.cgi?id=1865746 SuSE Security Announcement: openSUSE-SU-2020:1227 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html
Copyright	Copyright (C) 2022 Greenbone AG