postgresql: multiple vulnerabilities [LWN.net]

Package(s):

postgresql

CVE #(s):

CVE-2012-0866 CVE-2012-0867 CVE-2012-0868

Created:

February 27, 2012

Updated:

September 28, 2012

Description:

From the Debian advisory:

CVE-2012-0866: It was discovered that the permissions of a function called by a trigger are not checked. This could result in privilege escalation.

CVE-2012-0867: It was discovered that only the first 32 characters of a host name are checked when validating host names through SSL certificates. This could result in spoofing the connection in limited circumstances.

CVE-2012-0868: It was discovered that pg_dump did not sanitise object names. This could result in arbitrary SQL command execution if a malformed dump file is opened.

See the PostgreSQL 9.1.3, 9.0.7, 8.4.11 and 8.3.18 update announcement for more information.

Alerts:

Debian	DSA-2418-1	2012-02-27
Ubuntu	USN-1378-1	2012-02-28
Mandriva	MDVSA-2012:027	2012-02-29
Mandriva	MDVSA-2012:026	2012-02-29
Fedora	FEDORA-2012-2591	2012-03-08
Fedora	FEDORA-2012-2589	2012-03-08
openSUSE	openSUSE-SU-2012:0480-1	2012-04-11
Red Hat	RHSA-2012:0677-01	2012-05-21
Red Hat	RHSA-2012:0678-01	2012-05-21
CentOS	CESA-2012:0677	2012-05-21
CentOS	CESA-2012:0678	2012-05-21
CentOS	CESA-2012:0678	2012-05-21
Scientific Linux	SL-post-20120522	2012-05-22
Scientific Linux	SL-post-20120522	2012-05-22
Oracle	ELSA-2012-0678	2012-05-22
Oracle	ELSA-2012-0678	2012-05-22
Oracle	ELSA-2012-0677	2012-05-22
Oracle	ELSA-2012-1037	2012-06-26
Oracle	ELSA-2012-1037	2012-06-30
Oracle	ELSA-2012-1263	2012-09-14
Gentoo	201209-24	2012-09-28

(Log in to post comments)