English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.880656
Category:CentOS Local Security Checks
Title:CentOS Update for postgresql CESA-2010:0429 centos5 i386
Summary:The remote host is missing an update for the 'postgresql'; package(s) announced via the referenced advisory.
Description:Summary:
The remote host is missing an update for the 'postgresql'
package(s) announced via the referenced advisory.

Vulnerability Insight:
PostgreSQL is an advanced object-relational database management system
(DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the
Perl and Tcl languages, and are installed in trusted mode by default. In
trusted mode, certain operations, such as operating system level access,
are restricted.

A flaw was found in the way PostgreSQL enforced permission checks on
scripts written in PL/Perl. If the PL/Perl procedural language was
registered on a particular database, an authenticated database user running
a specially-crafted PL/Perl script could use this flaw to bypass intended
PL/Perl trusted mode restrictions, allowing them to run arbitrary Perl
scripts with the privileges of the database server. (CVE-2010-1169)

Red Hat would like to thank Tim Bunce for responsibly reporting the
CVE-2010-1169 flaw.

A flaw was found in the way PostgreSQL enforced permission checks on
scripts written in PL/Tcl. If the PL/Tcl procedural language was registered
on a particular database, an authenticated database user running a
specially-crafted PL/Tcl script could use this flaw to bypass intended
PL/Tcl trusted mode restrictions, allowing them to run arbitrary Tcl
scripts with the privileges of the database server. (CVE-2010-1170)

A buffer overflow flaw was found in the way PostgreSQL retrieved a
substring from the bit string for BIT() and BIT VARYING() SQL data types.
An authenticated database user running a specially-crafted SQL query could
use this flaw to cause a temporary denial of service (postgres daemon
crash) or, potentially, execute arbitrary code with the privileges of the
database server. (CVE-2010-0442)

An integer overflow flaw was found in the way PostgreSQL used to calculate
the size of the hash table for joined relations. An authenticated database
user could create a specially-crafted SQL query which could cause a
temporary denial of service (postgres daemon crash) or, potentially,
execute arbitrary code with the privileges of the database server.
(CVE-2010-0733)

PostgreSQL improperly protected session-local state during the execution of
an index function by a database superuser during the database maintenance
operations. An authenticated database user could use this flaw to elevate
their privileges via specially-crafted index functions. (CVE-2009-4136)

These packages upgrade PostgreSQL to version 8.1.21.

Description truncated, please see the referenced URL(s) for more information.

Affected Software/OS:
postgresql on CentOS 5

Solution:
Please install the updated packages.

CVSS Score:
8.5

CVSS Vector:
AV:N/AC:M/Au:S/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-4136
1023326
http://www.securitytracker.com/id?1023326
20100307 rPSA-2010-0012-1 postgresql postgresql-contrib postgresql-server
http://www.securityfocus.com/archive/1/509917/100/0/threaded
37333
http://www.securityfocus.com/bid/37333
37663
http://secunia.com/advisories/37663
39820
http://secunia.com/advisories/39820
61039
http://osvdb.org/61039
ADV-2009-3519
http://www.vupen.com/english/advisories/2009/3519
ADV-2010-1197
http://www.vupen.com/english/advisories/2010/1197
FEDORA-2009-13363
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01035.html
FEDORA-2009-13381
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01056.html
HPSBMU02781
http://marc.info/?l=bugtraq&m=134124585221119&w=2
MDVSA-2009:333
http://www.mandriva.com/security/advisories?name=MDVSA-2009:333
RHSA-2010:0427
http://www.redhat.com/support/errata/RHSA-2010-0427.html
RHSA-2010:0428
http://www.redhat.com/support/errata/RHSA-2010-0428.html
RHSA-2010:0429
http://www.redhat.com/support/errata/RHSA-2010-0429.html
SSRT100617
SUSE-SR:2010:001
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
http://www.postgresql.org/docs/current/static/release-7-4-27.html
http://www.postgresql.org/docs/current/static/release-8-0-23.html
http://www.postgresql.org/docs/current/static/release-8-1-19.html
http://www.postgresql.org/docs/current/static/release-8-2-15.html
http://www.postgresql.org/docs/current/static/release-8-3-9.html
http://www.postgresql.org/docs/current/static/release-8-4-2.html
http://www.postgresql.org/support/security.html
https://bugzilla.redhat.com/show_bug.cgi?id=546321
oval:org.mitre.oval:def:9358
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9358
Common Vulnerability Exposure (CVE) ID: CVE-2010-0442
1023510
http://securitytracker.com/id?1023510
37973
http://www.securityfocus.com/bid/37973
39566
http://secunia.com/advisories/39566
39939
http://secunia.com/advisories/39939
ADV-2010-1022
http://www.vupen.com/english/advisories/2010/1022
ADV-2010-1207
http://www.vupen.com/english/advisories/2010/1207
ADV-2010-1221
http://www.vupen.com/english/advisories/2010/1221
DSA-2051
http://www.debian.org/security/2010/dsa-2051
MDVSA-2010:103
http://www.mandriva.com/security/advisories?name=MDVSA-2010:103
USN-933-1
http://ubuntu.com/usn/usn-933-1
[oss-security] 20100127 Re: CVE id request: postgresql bitsubstr overflow
http://www.openwall.com/lists/oss-security/2010/01/27/5
[pgsql-committers] 20100107 pgsql: Make bit/varbit substring() treat any negative length as meaning
http://archives.postgresql.org/pgsql-committers/2010-01/msg00125.php
[pgsql-hackers] 20100107 Re: Patch: Allow substring/replace() to get/set bit values
http://archives.postgresql.org/pgsql-hackers/2010-01/msg00634.php
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567058
http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=75dea10196c31d98d98c0bafeeb576ae99c09b12
http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=b15087cb39ca9e4bde3c8920fcee3741045d2b83
http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html
https://bugzilla.redhat.com/show_bug.cgi?id=559194
https://bugzilla.redhat.com/show_bug.cgi?id=559259
oval:org.mitre.oval:def:9720
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9720
postgresql-substring-bo(55902)
https://exchange.xforce.ibmcloud.com/vulnerabilities/55902
Common Vulnerability Exposure (CVE) ID: CVE-2010-0733
38619
http://www.securityfocus.com/bid/38619
SUSE-SR:2010:014
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
[oss-security] 20100309 CVE Request: postgresql integer overflow in hash table size calculation
http://www.openwall.com/lists/oss-security/2010/03/09/2
[oss-security] 20100316 Re: CVE Request: postgresql integer overflow in hash table size calculation
http://www.openwall.com/lists/oss-security/2010/03/16/10
[pgsql-bugs] 20091028 BUG #5145: Complex query with lots of LEFT JOIN causes segfault
http://archives.postgresql.org/pgsql-bugs/2009-10/msg00277.php
[pgsql-bugs] 20091029 Re: BUG #5145: Complex query with lots of LEFT JOIN causes segfault
http://archives.postgresql.org/pgsql-bugs/2009-10/msg00287.php
http://archives.postgresql.org/pgsql-bugs/2009-10/msg00289.php
[pgsql-bugs] 20091030 Re: BUG #5145: Complex query with lots of LEFT JOIN causes segfault
http://archives.postgresql.org/pgsql-bugs/2009-10/msg00310.php
http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=64b057e6823655fb6c5d1f24a28f236b94dd6c54
https://bugzilla.redhat.com/show_bug.cgi?id=546621
oval:org.mitre.oval:def:10691
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10691
Common Vulnerability Exposure (CVE) ID: CVE-2010-1169
1023988
http://www.securitytracker.com/id?1023988
39815
http://secunia.com/advisories/39815
39845
http://secunia.com/advisories/39845
39898
http://secunia.com/advisories/39898
40215
http://www.securityfocus.com/bid/40215
64755
http://osvdb.org/64755
ADV-2010-1167
http://www.vupen.com/english/advisories/2010/1167
ADV-2010-1182
http://www.vupen.com/english/advisories/2010/1182
ADV-2010-1198
http://www.vupen.com/english/advisories/2010/1198
FEDORA-2010-8696
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041559.html
FEDORA-2010-8715
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041579.html
FEDORA-2010-8723
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041591.html
RHSA-2010:0430
http://www.redhat.com/support/errata/RHSA-2010-0430.html
[oss-security] 20100520 CVE-2010-1974 reject request (dupe of CVE-2010-1168) and CVE-2010-1447 description modification request
http://www.openwall.com/lists/oss-security/2010/05/20/5
http://www.postgresql.org/about/news.1203
http://www.postgresql.org/docs/current/static/release-7-4-29.html
http://www.postgresql.org/docs/current/static/release-8-0-25.html
http://www.postgresql.org/docs/current/static/release-8-1-21.html
http://www.postgresql.org/docs/current/static/release-8-2-17.html
http://www.postgresql.org/docs/current/static/release-8-3-11.html
http://www.postgresql.org/docs/current/static/release-8-4-4.html
http://www.postgresql.org/support/security
https://bugzilla.redhat.com/show_bug.cgi?id=582615
https://bugzilla.redhat.com/show_bug.cgi?id=588269
oval:org.mitre.oval:def:10645
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10645
postgresql-safe-code-execution(58693)
https://exchange.xforce.ibmcloud.com/vulnerabilities/58693
Common Vulnerability Exposure (CVE) ID: CVE-2010-1170
1023987
http://www.securitytracker.com/id?1023987
64757
http://osvdb.org/64757
https://bugzilla.redhat.com/show_bug.cgi?id=583072
oval:org.mitre.oval:def:10510
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10510
CopyrightCopyright (C) 2011 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.