Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.69194
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2010:0908
Summary:NOSUMMARY
Description:Description:
The remote host is missing updates announced in
advisory RHSA-2010:0908.

PostgreSQL is an advanced object-relational database management system
(DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the
Perl and Tcl languages. The PostgreSQL SECURITY DEFINER parameter, which
can be used when creating a new PostgreSQL function, specifies that the
function will be executed with the privileges of the user that created it.

It was discovered that a user could utilize the features of the PL/Perl and
PL/Tcl languages to modify the behavior of a SECURITY DEFINER function
created by a different user. If the PL/Perl or PL/Tcl language was used to
implement a SECURITY DEFINER function, an authenticated database user could
use a PL/Perl or PL/Tcl script to modify the behavior of that function
during subsequent calls in the same session. This would result in the
modified or injected code also being executed with the privileges of the
user who created the SECURITY DEFINER function, possibly leading to
privilege escalation. (CVE-2010-3433)

These updated postgresql packages upgrade PostgreSQL to version 8.4.5.
Refer to the PostgreSQL Release Notes for a list of changes:

http://www.postgresql.org/docs/8.4/static/release.html

All PostgreSQL users are advised to upgrade to these updated packages,
which correct this issue. If the postgresql service is running, it will be
automatically restarted after installing this update.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2010-0908.html
http://www.redhat.com/security/updates/classification/#moderate
http://www.postgresql.org/docs/8.1/interactive/sql-createfunction.html
http://www.postgresql.org/docs/8.4/static/release.html

Risk factor : High

CVSS Score:
6.0

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2010-3433
BugTraq ID: 43747
http://www.securityfocus.com/bid/43747
Debian Security Information: DSA-2120 (Google Search)
http://www.debian.org/security/2010/dsa-2120
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049591.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049592.html
HPdes Security Advisory: HPSBMU02781
http://marc.info/?l=bugtraq&m=134124585221119&w=2
HPdes Security Advisory: SSRT100617
http://www.mandriva.com/security/advisories?name=MDVSA-2010:197
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7291
http://www.redhat.com/support/errata/RHSA-2010-0742.html
http://www.redhat.com/support/errata/RHSA-2010-0908.html
http://secunia.com/advisories/42325
SuSE Security Announcement: SUSE-SR:2010:019 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html
SuSE Security Announcement: SUSE-SR:2010:020 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html
http://www.ubuntu.com/usn/USN-1002-1
http://www.ubuntu.com/usn/USN-1002-2
http://www.vupen.com/english/advisories/2010/3051
CopyrightCopyright (c) 2011 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.