Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.702865
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 2865-1 (postgresql-9.1 - several vulnerabilities)
Summary:Various vulnerabilities were discovered in PostgreSQL:;;CVE-2014-0060 Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch);;Granting a role without ADMIN OPTION is supposed to prevent the grantee;from adding or removing members from the granted role, but this;restriction was easily bypassed by doing SET ROLE first. The security;impact is mostly that a role member can revoke the access of others,;contrary to the wishes of his grantor. Unapproved role member additions;are a lesser concern, since an uncooperative role member could provide;most of his rights to others anyway by creating views or SECURITY;DEFINER functions.;;Description truncated. Please see the references for more information.
Description:Summary:
Various vulnerabilities were discovered in PostgreSQL:

CVE-2014-0060 Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

Granting a role without ADMIN OPTION is supposed to prevent the grantee
from adding or removing members from the granted role, but this
restriction was easily bypassed by doing SET ROLE first. The security
impact is mostly that a role member can revoke the access of others,
contrary to the wishes of his grantor. Unapproved role member additions
are a lesser concern, since an uncooperative role member could provide
most of his rights to others anyway by creating views or SECURITY
DEFINER functions.

Description truncated. Please see the references for more information.

Affected Software/OS:
postgresql-9.1 on Debian Linux

Solution:
For the stable distribution (wheezy), these problems have been fixed in
version 9.1_9.1.12-0wheezy1.

For the unstable distribution (sid), these problems have been fixed in
version 9.3.3-1 of the postgresql-9.3 package.

We recommend that you upgrade your postgresql-9.1 packages.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-0060
http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
Debian Security Information: DSA-2864 (Google Search)
http://www.debian.org/security/2014/dsa-2864
Debian Security Information: DSA-2865 (Google Search)
http://www.debian.org/security/2014/dsa-2865
RedHat Security Advisories: RHSA-2014:0211
http://rhn.redhat.com/errata/RHSA-2014-0211.html
RedHat Security Advisories: RHSA-2014:0221
http://rhn.redhat.com/errata/RHSA-2014-0221.html
RedHat Security Advisories: RHSA-2014:0249
http://rhn.redhat.com/errata/RHSA-2014-0249.html
RedHat Security Advisories: RHSA-2014:0469
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://secunia.com/advisories/61307
SuSE Security Announcement: openSUSE-SU-2014:0345 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
SuSE Security Announcement: openSUSE-SU-2014:0368 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://www.ubuntu.com/usn/USN-2120-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-0061
Common Vulnerability Exposure (CVE) ID: CVE-2014-0062
BugTraq ID: 65727
http://www.securityfocus.com/bid/65727
Common Vulnerability Exposure (CVE) ID: CVE-2014-0063
BugTraq ID: 65719
http://www.securityfocus.com/bid/65719
Common Vulnerability Exposure (CVE) ID: CVE-2014-0064
BugTraq ID: 65725
http://www.securityfocus.com/bid/65725
Common Vulnerability Exposure (CVE) ID: CVE-2014-0065
BugTraq ID: 65731
http://www.securityfocus.com/bid/65731
Common Vulnerability Exposure (CVE) ID: CVE-2014-0066
Common Vulnerability Exposure (CVE) ID: CVE-2014-0067
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
BugTraq ID: 65721
http://www.securityfocus.com/bid/65721
CopyrightCopyright (c) 2014 Greenbone Networks GmbH http://greenbone.net

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.