Debian Security Advisory
DSA-2658-1 postgresql-9.1 -- several vulnerabilities
- Date Reported:
- 04 Apr 2013
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 704479.
In Mitre's CVE dictionary: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901.
- More information:
Several vulnerabilities were discovered in PostgreSQL database server.
Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center discovered that it was possible for a connection request containing a database name that begins with
-to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request.
Random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess.
An unprivileged user could run commands that could interfere with in-progress backups.
For the testing distribution (wheezy), these problems have been fixed in version 9.1.9-0wheezy1.
For the unstable distribution (sid), these problems have been fixed in version 9.1.9-1.
We recommend that you upgrade your postgresql-9.1 packages.