Input validation error in PostgreSQL - CVE-2013-1900

Detailed vulnerability description

The vulnerability allows a remote #AU# to execute arbitrary code.

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." Per http://www.ubuntu.com/usn/USN-1789-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS Ubuntu 8.04 LTS"

How to mitigate CVE-2013-1900

Sources

• http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
• http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
• http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
• http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
• http://rhn.redhat.com/errata/RHSA-2013-1475.html
• http://support.apple.com/kb/HT5880
• http://support.apple.com/kb/HT5892
• http://www.debian.org/security/2013/dsa-2657
• http://www.debian.org/security/2013/dsa-2658
• http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.postgresql.org/about/news/1456/
• http://www.postgresql.org/docs/current/static/release-8-4-17.html
• http://www.postgresql.org/docs/current/static/release-9-0-13.html
• http://www.postgresql.org/docs/current/static/release-9-1-9.html
• http://www.postgresql.org/docs/current/static/release-9-2-4.html
• http://www.ubuntu.com/usn/USN-1789-1