 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.69194 |
| Category: | Red Hat Local Security Checks |
| Title: | RedHat Security Advisory RHSA-2010:0908 |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing updates announced in advisory RHSA-2010:0908. PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages. The PostgreSQL SECURITY DEFINER parameter, which can be used when creating a new PostgreSQL function, specifies that the function will be executed with the privileges of the user that created it. It was discovered that a user could utilize the features of the PL/Perl and PL/Tcl languages to modify the behavior of a SECURITY DEFINER function created by a different user. If the PL/Perl or PL/Tcl language was used to implement a SECURITY DEFINER function, an authenticated database user could use a PL/Perl or PL/Tcl script to modify the behavior of that function during subsequent calls in the same session. This would result in the modified or injected code also being executed with the privileges of the user who created the SECURITY DEFINER function, possibly leading to privilege escalation. (CVE-2010-3433) These updated postgresql packages upgrade PostgreSQL to version 8.4.5. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date http://rhn.redhat.com/errata/RHSA-2010-0908.html http://www.redhat.com/security/updates/classification/#moderate http://www.postgresql.org/docs/8.1/interactive/sql-createfunction.html http://www.postgresql.org/docs/8.4/static/release.html Risk factor : High CVSS Score: 6.0 |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2010-3433 42325 http://secunia.com/advisories/42325 43747 http://www.securityfocus.com/bid/43747 ADV-2010-3051 http://www.vupen.com/english/advisories/2010/3051 DSA-2120 http://www.debian.org/security/2010/dsa-2120 FEDORA-2010-15954 http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049591.html FEDORA-2010-15960 http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049592.html HPSBMU02781 http://marc.info/?l=bugtraq&m=134124585221119&w=2 MDVSA-2010:197 http://www.mandriva.com/security/advisories?name=MDVSA-2010:197 RHSA-2010:0742 http://www.redhat.com/support/errata/RHSA-2010-0742.html RHSA-2010:0908 http://www.redhat.com/support/errata/RHSA-2010-0908.html SSRT100617 SUSE-SR:2010:019 http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html SUSE-SR:2010:020 http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html USN-1002-1 http://www.ubuntu.com/usn/USN-1002-1 USN-1002-2 http://www.ubuntu.com/usn/USN-1002-2 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://www.postgresql.org/about/news.1244 http://www.postgresql.org/docs/9.0/static/release-9-0-1.html https://bugzilla.redhat.com/show_bug.cgi?id=639371 oval:org.mitre.oval:def:7291 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7291 |
| Copyright | Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |