Multiple vulnerabilities in postgresql < 9.1.9 allows data loss or information disclosure
Several vulnerabilities were discovered in PostgreSQL database server.
CVE-2013-1899
Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software
Center
discovered that it was possible for a connection request containing a
database name that begins with “-” to be crafted that can damage or
destroy
files within a server’s data directory. Anyone with access to the port
the
PostgreSQL server listens on can initiate this request.
CVE-2013-1900
Random numbers generated by contrib/pgcrypto functions may be easy for
another database user to guess.
CVE-2013-1901
An unprivileged user could run commands that could interfere with
in-progress backups
(from redmine: issue id 1761, created on 2013-04-05, closed on 2013-04-12)
- Relations:
- parent #1760 (closed)
- Changesets:
- Revision 81bd8610 by Natanael Copa on 2013-04-11T13:31:16Z:
main/postgresql: security upgrade to 9.1.9 (CVE-2013-1899,CVE-2013-1900,CVE-2013-1901)
fixes #1761