| Description: | The remote host is missing an update to postgresql-8.1
announced via advisory DSA 1460-1.
Several local vulnerabilities have been discovered in PostgreSQL, an
object-relational SQL database. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2007-3278
It was discovered that the DBLink module performed insufficient
credential validation. This issue is also tracked as CVE-2007-6601,
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
CVE-2007-4772
Tavis Ormandy and Will Drewry discovered that the optimizer for regular
expression could be tricked into an infinite loop, resulting in denial
of service. This constitutes only a security problem if an application
using ProgreSQL processes regular expressions from untrusted sources.
CVE-2007-6067
Tavis Ormandy and Will Drewry discovered that the optimizer for regular
expression could be tricked massive ressource consumption. This
constitutes only a security problem if an application using ProgreSQL
processes regular expressions from untrusted sources.
CVE-2007-6600
Functions in index expressions could lead to privilege escalation. For
a more in depth explanation please see the upstream announce available
at http://www.postgresql.org/about/news.905.
For the unstable distribution (sid), these problems have been fixed in
version 8.2.6-1 of postgresql-8.2.
For the stable distribution (etch), these problems have been fixed in version
postgresql-8.1 8.1.11-0etch1.
The old stable distribution (sarge), doesn't contain postgresql-8.1.
We recommend that you upgrade your postgresql-8.1 (8.1.11-0etch1) package.
Solution:
http://www.securityspace.com/smysecure/catid.html?in=DSA%201460-1 |
