GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu May 10, 2007 7:26 pm Post subject: [ GLSA 200705-12 ] PostgreSQL: Privilege escalation |
 |
|
Gentoo Linux Security Advisory
Title: PostgreSQL: Privilege escalation (GLSA 200705-12)
Severity: normal
Exploitable: remote
Date: May 10, 2007
Updated: May 28, 2009
Bug(s): #175791
ID: 200705-12
Synopsis
PostgreSQL contains a vulnerability that could result in SQL privilege escalation.
Background
PostgreSQL is an open source object-relational database management system.
Affected Packages
Package: dev-db/postgresql
Vulnerable: < 8.0.13
Unaffected: >= 8.0.13
Unaffected: >= 7.4.17 < 7.4.18
Unaffected: >= 7.3.19 < 7.3.20
Unaffected: >= 7.3.21 < 7.3.22
Unaffected: >= 7.4.19 < 7.4.20
Architectures: All supported architectures
Description
An error involving insecure search_path settings in the SECURITY DEFINER functions has been reported in PostgreSQL.
Impact
If allowed to call a SECURITY DEFINER function, an attacker could gain the SQL privileges of the owner of the called function.
Workaround
There is no known workaround at this time.
Resolution
All PostgreSQL users should upgrade to the latest version and fix their SECURITY DEFINER functions: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose "dev-db/postgresql" |
In order to fix the SECURITY DEFINER functions, PostgreSQL users are advised to refer to the PostgreSQL documentation: http://www.postgresql.org/docs/techdocs.77
References
CVE-2007-2138
Last edited by GLSA on Fri May 29, 2009 4:17 am; edited 1 time in total |
|
News & Announcements
