blob: 64d6fd8a3029464ab1445947f28a54fdf1025c07 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200502-08">
<title>PostgreSQL: Multiple vulnerabilities</title>
PostgreSQL contains several vulnerabilities which could lead to execution
of arbitrary code, Denial of Service and security bypass.
<product type="ebuild">postgresql</product>
<announced>February 07, 2005</announced>
<revised>June 26, 2007: 06</revised>
<access>remote and local</access>
<package name="dev-db/postgresql" auto="yes" arch="*">
<unaffected range="eq">7.3*</unaffected>
<unaffected range="eq">7.4*</unaffected>
<unaffected range="ge">8.0.1</unaffected>
<vulnerable range="lt">7.3.10</vulnerable>
<vulnerable range="lt">7.4.7</vulnerable>
<vulnerable range="lt">8.0.1</vulnerable>
PostgreSQL is a SQL compliant, open source object-relational database
management system.
PostgreSQL's contains several vulnerabilities:
<li>John Heasman discovered that the LOAD extension is vulnerable to
local privilege escalation (CAN-2005-0227).</li>
<li>It is possible to bypass the EXECUTE permission check for functions
<li>The PL/PgSQL parser is vulnerable to heap-based buffer overflow
<li>The intagg contrib module is vulnerable to a Denial of Service
<impact type="normal">
An attacker could exploit this to execute arbitrary code with the
privileges of the PostgreSQL server, bypass security restrictions and
crash the server.
There is no know workaround at this time.
All PostgreSQL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose dev-db/postgresql</code>
<uri link="">PostgreSQL Announcement</uri>
<uri link="">CAN-2005-0227</uri>
<uri link="">CAN-2005-0244</uri>
<uri link="">CAN-2005-0245</uri>
<uri link="">CAN-2005-0246</uri>
<metadata tag="requester" timestamp="Wed, 2 Feb 2005 18:15:02 +0000">
<metadata tag="submitter" timestamp="Wed, 2 Feb 2005 18:50:22 +0000">
<metadata tag="bugReady" timestamp="Sun, 6 Feb 2005 17:27:47 +0000">