Test ID:	1.3.6.1.4.1.25623.1.0.60182
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-568-1 (postgresql)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to postgresql announced via advisory USN-568-1. A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Nico Leidecker discovered that PostgreSQL did not properly restrict dblink functions. An authenticated user could exploit this flaw to access arbitrary accounts and execute arbitrary SQL queries. (CVE-2007-3278, CVE-2007-6601) It was discovered that the TCL regular expression parser used by PostgreSQL did not properly check its input. An attacker could send crafted regular expressions to PostgreSQL and cause a denial of service via resource exhaustion or database crash. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067) It was discovered that PostgreSQL executed VACUUM and ANALYZE operations within index functions with superuser privileges and also allowed SET ROLE and SET SESSION AUTHORIZATION within index functions. A remote authenticated user could exploit these flaws to gain privileges. (CVE-2007-6600) Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: postgresql-8.1 8.1.11-0ubuntu0.6.06.1 postgresql-pltcl-8.1 8.1.11-0ubuntu0.6.06.1 Ubuntu 6.10: postgresql-8.1 8.1.11-0ubuntu0.6.10.1 postgresql-pltcl-8.1 8.1.11-0ubuntu0.6.10.1 Ubuntu 7.04: postgresql-8.2 8.2.6-0ubuntu0.7.04.1 postgresql-pltcl-8.2 8.2.6-0ubuntu0.7.04.1 Ubuntu 7.10: postgresql-8.2 8.2.6-0ubuntu0.7.10.1 postgresql-pltcl-8.2 8.2.6-0ubuntu0.7.10.1 In general, a standard system upgrade is sufficient to effect the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-568-1 Risk factor : High CVSS Score: 7.2
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2007-3278 Bugtraq: 20070616 Having Fun With PostgreSQL (Google Search) http://www.securityfocus.com/archive/1/471541/100/0/threaded Bugtraq: 20070618 Re: Having Fun With PostgreSQL (Google Search) http://www.securityfocus.com/archive/1/471644/100/0/threaded Debian Security Information: DSA-1460 (Google Search) http://www.debian.org/security/2008/dsa-1460 Debian Security Information: DSA-1463 (Google Search) http://www.debian.org/security/2008/dsa-1463 http://security.gentoo.org/glsa/glsa-200801-15.xml HPdes Security Advisory: HPSBTU02325 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01420154 HPdes Security Advisory: SSRT080006 http://www.mandriva.com/security/advisories?name=MDKSA-2007:188 http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf http://osvdb.org/40899 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10334 http://www.redhat.com/support/errata/RHSA-2008-0038.html http://www.redhat.com/support/errata/RHSA-2008-0039.html http://www.redhat.com/support/errata/RHSA-2008-0040.html http://secunia.com/advisories/28376 http://secunia.com/advisories/28437 http://secunia.com/advisories/28438 http://secunia.com/advisories/28445 http://secunia.com/advisories/28454 http://secunia.com/advisories/28477 http://secunia.com/advisories/28479 http://secunia.com/advisories/28679 http://secunia.com/advisories/29638 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103197-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-200559-1 https://usn.ubuntu.com/568-1/ http://www.vupen.com/english/advisories/2008/0109 http://www.vupen.com/english/advisories/2008/1071/references XForce ISS Database: postgresql-dblink-sql-injection(35142) https://exchange.xforce.ibmcloud.com/vulnerabilities/35142 Common Vulnerability Exposure (CVE) ID: CVE-2007-4769 BugTraq ID: 27163 http://www.securityfocus.com/bid/27163 Bugtraq: 20080107 PostgreSQL 2007-01-07 Cumulative Security Release (Google Search) http://www.securityfocus.com/archive/1/485864/100/0/threaded Bugtraq: 20080115 rPSA-2008-0016-1 postgresql postgresql-server (Google Search) http://www.securityfocus.com/archive/1/486407/100/0/threaded https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00397.html https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00469.html http://www.mandriva.com/security/advisories?name=MDVSA-2008:004 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9804 http://securitytracker.com/id?1019157 http://secunia.com/advisories/28359 http://secunia.com/advisories/28455 http://secunia.com/advisories/28464 http://secunia.com/advisories/28698 SuSE Security Announcement: SUSE-SA:2008:005 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00000.html http://www.vupen.com/english/advisories/2008/0061 XForce ISS Database: postgresql-backref-dos(39499) https://exchange.xforce.ibmcloud.com/vulnerabilities/39499 Common Vulnerability Exposure (CVE) ID: CVE-2007-4772 Bugtraq: 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues (Google Search) http://www.securityfocus.com/archive/1/493080/100/0/threaded http://www.mandriva.com/security/advisories?name=MDVSA-2008:059 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11569 http://www.redhat.com/support/errata/RHSA-2008-0134.html RedHat Security Advisories: RHSA-2013:0122 http://rhn.redhat.com/errata/RHSA-2013-0122.html http://secunia.com/advisories/29070 http://secunia.com/advisories/29248 http://secunia.com/advisories/30535 SuSE Security Announcement: SUSE-SU-2016:0539 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00052.html SuSE Security Announcement: SUSE-SU-2016:0555 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00054.html SuSE Security Announcement: SUSE-SU-2016:0677 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html SuSE Security Announcement: openSUSE-SU-2016:0531 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00049.html SuSE Security Announcement: openSUSE-SU-2016:0578 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00056.html http://www.vupen.com/english/advisories/2008/1744 XForce ISS Database: postgresql-regular-expression-dos(39497) https://exchange.xforce.ibmcloud.com/vulnerabilities/39497 Common Vulnerability Exposure (CVE) ID: CVE-2007-6067 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10235 XForce ISS Database: postgresql-complex-expression-dos(39498) https://exchange.xforce.ibmcloud.com/vulnerabilities/39498 Common Vulnerability Exposure (CVE) ID: CVE-2007-6600 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10493 XForce ISS Database: postgresql-indexfunctions-priv-escalation(39496) https://exchange.xforce.ibmcloud.com/vulnerabilities/39496 Common Vulnerability Exposure (CVE) ID: CVE-2007-6601 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11127 XForce ISS Database: postgresql-dblink-privilege-escalation(39500) https://exchange.xforce.ibmcloud.com/vulnerabilities/39500
Copyright	Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.