Rapid7 VulnDB

RHSA-2012:1263: postgresql and postgresql84 security update

Back to Search

RHSA-2012:1263: postgresql and postgresql84 security update

Severity
5
CVSS
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Published
09/13/2012
Created
07/25/2018
Added
09/17/2012
Modified
07/04/2017

Description

PostgreSQL is an advanced object-relational database management system(DBMS).It was found that the optional PostgreSQL xml2 contrib module allowed localfiles and remote URLs to be read and written to with the privileges of thedatabase server when parsing Extensible Stylesheet Language Transformations(XSLT). An unprivileged database user could use this flaw to read and writeto local files (such as the database's configuration files) and remote URLsthey would otherwise not have access to by issuing a specially-crafted SQLquery. (CVE-2012-3488)It was found that the "xml" data type allowed local files and remote URLsto be read with the privileges of the database server to resolve DTD andentity references in the provided XML. An unprivileged database user coulduse this flaw to read local files they would otherwise not have access toby issuing a specially-crafted SQL query. Note that the full contents ofthe files were not returned, but portions could be displayed to the uservia error messages. (CVE-2012-3489)Red Hat would like to thank the PostgreSQL project for reporting theseissues. Upstream acknowledges Peter Eisentraut as the original reporter ofCVE-2012-3488, and Noah Misch as the original reporter of CVE-2012-3489.These updated packages upgrade PostgreSQL to version 8.4.13. Refer to thePostgreSQL Release Notes for a list of changes:http://www.postgresql.org/docs/8.4/static/release-8-4-13.htmlAll PostgreSQL users are advised to upgrade to these updated packages,which correct these issues. If the postgresql service is running, it willbe automatically restarted after installing this update.

Solution(s)

  • redhat-upgrade-postgresql
  • redhat-upgrade-postgresql-contrib
  • redhat-upgrade-postgresql-debuginfo
  • redhat-upgrade-postgresql-devel
  • redhat-upgrade-postgresql-docs
  • redhat-upgrade-postgresql-libs
  • redhat-upgrade-postgresql-plperl
  • redhat-upgrade-postgresql-plpython
  • redhat-upgrade-postgresql-pltcl
  • redhat-upgrade-postgresql-server
  • redhat-upgrade-postgresql-test
  • redhat-upgrade-postgresql84
  • redhat-upgrade-postgresql84-contrib
  • redhat-upgrade-postgresql84-debuginfo
  • redhat-upgrade-postgresql84-devel
  • redhat-upgrade-postgresql84-docs
  • redhat-upgrade-postgresql84-libs
  • redhat-upgrade-postgresql84-plperl
  • redhat-upgrade-postgresql84-plpython
  • redhat-upgrade-postgresql84-pltcl
  • redhat-upgrade-postgresql84-python
  • redhat-upgrade-postgresql84-server
  • redhat-upgrade-postgresql84-tcl
  • redhat-upgrade-postgresql84-test

References

  • redhat-upgrade-postgresql
  • redhat-upgrade-postgresql-contrib
  • redhat-upgrade-postgresql-debuginfo
  • redhat-upgrade-postgresql-devel
  • redhat-upgrade-postgresql-docs
  • redhat-upgrade-postgresql-libs
  • redhat-upgrade-postgresql-plperl
  • redhat-upgrade-postgresql-plpython
  • redhat-upgrade-postgresql-pltcl
  • redhat-upgrade-postgresql-server
  • redhat-upgrade-postgresql-test
  • redhat-upgrade-postgresql84
  • redhat-upgrade-postgresql84-contrib
  • redhat-upgrade-postgresql84-debuginfo
  • redhat-upgrade-postgresql84-devel
  • redhat-upgrade-postgresql84-docs
  • redhat-upgrade-postgresql84-libs
  • redhat-upgrade-postgresql84-plperl
  • redhat-upgrade-postgresql84-plpython
  • redhat-upgrade-postgresql84-pltcl
  • redhat-upgrade-postgresql84-python
  • redhat-upgrade-postgresql84-server
  • redhat-upgrade-postgresql84-tcl
  • redhat-upgrade-postgresql84-test

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;