Gentoo update for PostgreSQL
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 15 |
| CVE-ID | CVE-2009-0922 CVE-2009-3229 CVE-2009-3230 CVE-2009-3231 CVE-2009-4034 CVE-2009-4136 CVE-2010-0442 CVE-2010-0733 CVE-2010-1169 CVE-2010-1170 CVE-2010-1447 CVE-2010-1975 CVE-2010-3433 CVE-2010-4015 CVE-2011-2483 |
| CWE-ID | CWE-399 CWE-20 CWE-264 CWE-287 CWE-310 CWE-94 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. |
| Vulnerable software |
Gentoo Linux Operating systems & Components / Operating system dev-db/postgresql-server Operating systems & Components / Operating system package or component dev-db/postgresql Operating systems & Components / Operating system package or component |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU111778
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2009-0922
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to perform service disruption.
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests. Per: https://bugzilla.redhat.com/show_bug.cgi?id=488156 "PostgreSQL allows remote authenticated users to cause a momentary denial of service (crash due to stack consumption) when there is a failure to convert a localized error message to the client-specified encoding. In releases 8.3.6, 8.2.12, 8.1.16. 8.0.20, and 7.4.24, a trivial misconfiguration is sufficient to provoke a crash. In older releases it is necessary to select a locale and client encoding for which specific messages fail to translate, and so a given installation may or may not be vulnerable depending on the administrator-determined locale setting. Releases 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 are secure against all known variants of this issue."
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Input validation error
EUVDB-ID: #VU111777
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2009-3229
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform service disruption.
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service (backend shutdown) by "re-LOAD-ing" libraries from a certain plugins directory.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU111776
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2009-3230
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to read and manipulate data.
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Authentication
EUVDB-ID: #VU111775
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2009-3231
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cryptographic issues
EUVDB-ID: #VU111774
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2009-4034
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '�' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU111773
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2009-4136
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to read and manipulate data.
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU111772
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2010-0442
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to read and manipulate data.
The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Input validation error
EUVDB-ID: #VU111771
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2010-0733
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to perform service disruption.
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Code Injection
EUVDB-ID: #VU111770
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-1169
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code.
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU111769
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2010-1170
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to read and manipulate data.
The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU111768
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-1447
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code.
The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU111767
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2010-1975
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to read and manipulate data.
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU111766
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2010-3433
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to read and manipulate data.
The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU45396
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2010-4015
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Cryptographic issues
EUVDB-ID: #VU110278
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2483
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
MitigationUpdate the affected packages.
dev-db/postgresql to version: 9.0.5
dev-db/postgresql-server to version: 9.0.5
dev-db/postgresql-base to version:
Gentoo Linux: All versions
dev-db/postgresql-server: before 9.0.5
dev-db/postgresql: before 9.0.5
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql-server:*:*:*:*:*:gentoo_linux:*:*
- cpe:2.3:a:gentoo:dev-db_postgresql:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/201110-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
