PostgreSQL update fixes serious vulnerability
Security update for all current versions of PostgreSQL has been released, including 9.2.4, 9.1.9, 9.0.13 and 8.4.17. This update fixes a particularly dangerous vulnerability in versions 9.0 and newer. All users are highly recommended to upgrade.
The main security issue fixed in this version, CVE-2013-1899 , allows an attacker to damage or destroy some files in the server's directory by sending a database connection request with the name beginning with "-". Anyone who has access to a PostgreSQL port can send such a request.
Two less serious vulnerabilities have also been fixed in this version. CVE-2013-1900 , in which random numbers generated in the contrib / pgcrypto functions can be easily predicted by the user of another database. CVE-2013-1901 , in which an unprivileged user could influence the process of creating backup copies of the database.
Updates have already been released for Debian Wheezy, Ubuntu.
')
PostgreSQL news: http://www.postgresql.org/about/news/1456/
News on Linux.Org.Ru: http://www.linux.org.ru/news/security/9032736
The main security issue fixed in this version, CVE-2013-1899 , allows an attacker to damage or destroy some files in the server's directory by sending a database connection request with the name beginning with "-". Anyone who has access to a PostgreSQL port can send such a request.
Two less serious vulnerabilities have also been fixed in this version. CVE-2013-1900 , in which random numbers generated in the contrib / pgcrypto functions can be easily predicted by the user of another database. CVE-2013-1901 , in which an unprivileged user could influence the process of creating backup copies of the database.
Updates have already been released for Debian Wheezy, Ubuntu.
')
PostgreSQL news: http://www.postgresql.org/about/news/1456/
News on Linux.Org.Ru: http://www.linux.org.ru/news/security/9032736
Source: https://habr.com/ru/post/175525/
All Articles