Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Mandriva Update for postgresql MDVSA-2012:139 (postgresql)

Information

Severity

Severity

Medium

Family

Family

Mandrake Local Security Checks

CVSSv2 Base

CVSSv2 Base

4.9

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:P/A:N

Solution Type

Solution Type

Vendor Patch

Created

Created

11 years ago

Modified

Modified

5 years ago

Summary

The remote host is missing an update for the 'postgresql' package(s) announced via the referenced advisory.

Insight

Insight

Multiple vulnerabilities has been discovered and corrected in postgresql: Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut). libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options (CVE-2012-3488). Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented feature, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane). xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML. And in any case the mere ability to check existence of a file might be useful to an attacker (CVE-2012-3489). This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.

Affected Software

Affected Software

postgresql on Mandriva Linux 2011.0, Mandriva Enterprise Server 5.2

Solution

Solution

Please Install the Updated Packages.

Common Vulnerabilities and Exposures (CVE)