Home / mailings [USN-2120-1] PostgreSQL vulnerabilities
Posted on 24 February 2014
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2120-1
February 24, 2014
postgresql-8.4, postgresql-9.1 vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-9.1: Object-relational SQL database
- postgresql-8.4: Object-relational SQL database
Details:
Noah Misch and Jonas Sundman discovered that PostgreSQL did not correctly=
enforce ADMIN OPTION restrictions. An authenticated attacker could use th=
is
issue to possibly revoke access from others, contrary to expected
permissions. (CVE-2014-0060)
Andres Freund discovered that PostgreSQL incorrectly handled validator
functions. An authenticated attacker could possibly use this issue to
escalate their privileges. (CVE-2014-0061)
Andres Freund discovered that PostgreSQL incorrectly handled concurrent
CREATE INDEX statements. An authenticated attacker could possibly use thi=
s
issue to obtain access to restricted data, bypassing intended privileges.=
(CVE-2014-0062)
Daniel Sch=C3=BCssler discovered that PostgreSQL incorrectly handled date=
time
input. An authenticated attacker could possibly use this issue to cause
PostgreSQL to crash, resulting in a denial of service, or possibly execut=
e
arbitrary code. (CVE-2014-0063)
It was discovered that PostgreSQL incorrectly handled certain size
calculations. An authenticated attacker could possibly use this issue to
cause PostgreSQL to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2014-0064)
Peter Eisentraut and Jozef Mlich discovered that PostgreSQL incorrectly
handled certain buffer sizes. An authenticated attacker could possibly us=
e
this issue to cause PostgreSQL to crash, resulting in a denial of service=
,
or possibly execute arbitrary code. (CVE-2014-0065)
Honza Horak discovered that PostgreSQL incorrectly used the crypt() libra=
ry
function. This issue could possibly cause PostgreSQL to crash, resulting =
in
a denial of service (CVE-2014-0066)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
postgresql-9.1 9.1.12-0ubuntu0.13.10
Ubuntu 12.10:
postgresql-9.1 9.1.12-0ubuntu0.12.10
Ubuntu 12.04 LTS:
postgresql-9.1 9.1.12-0ubuntu0.12.04
Ubuntu 10.04 LTS:
postgresql-8.4 8.4.20-0ubuntu010.04
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-2120-1
CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063,
CVE-2014-0064, CVE-2014-0065, CVE-2014-0066
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.12-0ubuntu0.13.=
10
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.12-0ubuntu0.12.=
10
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.12-0ubuntu0.12.=
04
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.20-0ubuntu010.0=
4
