Test ID:	1.3.6.1.4.1.25623.1.0.60178
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-1460-1)
Summary:	The remote host is missing an update for the Debian 'postgresql-8.1' package(s) announced via the DSA-1460-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'postgresql-8.1' package(s) announced via the DSA-1460-1 advisory. Vulnerability Insight: Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3278 It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. CVE-2007-4769 Tavis Ormandy and Will Drewry discovered that a bug in the handling of back-references inside the regular expressions engine could lead to an out of bounds read, resulting in a crash. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. CVE-2007-4772 Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked into an infinite loop, resulting in denial of service. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. CVE-2007-6067 Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked massive resource consumption. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. CVE-2007-6600 Functions in index expressions could lead to privilege escalation. For a more in depth explanation please see the upstream announce available at [link moved to references]. The old stable distribution (sarge), doesn't contain postgresql-8.1. For the stable distribution (etch), these problems have been fixed in version postgresql-8.1 8.1.11-0etch1. For the unstable distribution (sid), these problems have been fixed in version 8.2.6-1 of postgresql-8.2. We recommend that you upgrade your postgresql-8.1 (8.1.11-0etch1) package. Affected Software/OS: 'postgresql-8.1' package(s) on Debian 4. Solution: Please install the updated package(s). CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2007-3278 Bugtraq: 20070616 Having Fun With PostgreSQL (Google Search) http://www.securityfocus.com/archive/1/471541/100/0/threaded Bugtraq: 20070618 Re: Having Fun With PostgreSQL (Google Search) http://www.securityfocus.com/archive/1/471644/100/0/threaded Debian Security Information: DSA-1460 (Google Search) http://www.debian.org/security/2008/dsa-1460 Debian Security Information: DSA-1463 (Google Search) http://www.debian.org/security/2008/dsa-1463 http://security.gentoo.org/glsa/glsa-200801-15.xml HPdes Security Advisory: HPSBTU02325 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01420154 HPdes Security Advisory: SSRT080006 http://www.mandriva.com/security/advisories?name=MDKSA-2007:188 http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf http://osvdb.org/40899 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10334 http://www.redhat.com/support/errata/RHSA-2008-0038.html http://www.redhat.com/support/errata/RHSA-2008-0039.html http://www.redhat.com/support/errata/RHSA-2008-0040.html http://secunia.com/advisories/28376 http://secunia.com/advisories/28437 http://secunia.com/advisories/28438 http://secunia.com/advisories/28445 http://secunia.com/advisories/28454 http://secunia.com/advisories/28477 http://secunia.com/advisories/28479 http://secunia.com/advisories/28679 http://secunia.com/advisories/29638 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103197-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-200559-1 https://usn.ubuntu.com/568-1/ http://www.vupen.com/english/advisories/2008/0109 http://www.vupen.com/english/advisories/2008/1071/references XForce ISS Database: postgresql-dblink-sql-injection(35142) https://exchange.xforce.ibmcloud.com/vulnerabilities/35142 Common Vulnerability Exposure (CVE) ID: CVE-2007-4769 BugTraq ID: 27163 http://www.securityfocus.com/bid/27163 Bugtraq: 20080107 PostgreSQL 2007-01-07 Cumulative Security Release (Google Search) http://www.securityfocus.com/archive/1/485864/100/0/threaded Bugtraq: 20080115 rPSA-2008-0016-1 postgresql postgresql-server (Google Search) http://www.securityfocus.com/archive/1/486407/100/0/threaded https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00397.html https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00469.html http://www.mandriva.com/security/advisories?name=MDVSA-2008:004 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9804 http://securitytracker.com/id?1019157 http://secunia.com/advisories/28359 http://secunia.com/advisories/28455 http://secunia.com/advisories/28464 http://secunia.com/advisories/28698 SuSE Security Announcement: SUSE-SA:2008:005 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00000.html http://www.vupen.com/english/advisories/2008/0061 XForce ISS Database: postgresql-backref-dos(39499) https://exchange.xforce.ibmcloud.com/vulnerabilities/39499 Common Vulnerability Exposure (CVE) ID: CVE-2007-4772 Bugtraq: 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues (Google Search) http://www.securityfocus.com/archive/1/493080/100/0/threaded http://www.mandriva.com/security/advisories?name=MDVSA-2008:059 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11569 http://www.redhat.com/support/errata/RHSA-2008-0134.html RedHat Security Advisories: RHSA-2013:0122 http://rhn.redhat.com/errata/RHSA-2013-0122.html http://secunia.com/advisories/29070 http://secunia.com/advisories/29248 http://secunia.com/advisories/30535 SuSE Security Announcement: SUSE-SU-2016:0539 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00052.html SuSE Security Announcement: SUSE-SU-2016:0555 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00054.html SuSE Security Announcement: SUSE-SU-2016:0677 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html SuSE Security Announcement: openSUSE-SU-2016:0531 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00049.html SuSE Security Announcement: openSUSE-SU-2016:0578 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00056.html http://www.vupen.com/english/advisories/2008/1744 XForce ISS Database: postgresql-regular-expression-dos(39497) https://exchange.xforce.ibmcloud.com/vulnerabilities/39497 Common Vulnerability Exposure (CVE) ID: CVE-2007-6067 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10235 XForce ISS Database: postgresql-complex-expression-dos(39498) https://exchange.xforce.ibmcloud.com/vulnerabilities/39498 Common Vulnerability Exposure (CVE) ID: CVE-2007-6600 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10493 XForce ISS Database: postgresql-indexfunctions-priv-escalation(39496) https://exchange.xforce.ibmcloud.com/vulnerabilities/39496 Common Vulnerability Exposure (CVE) ID: CVE-2007-6601 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11127 XForce ISS Database: postgresql-dblink-privilege-escalation(39500) https://exchange.xforce.ibmcloud.com/vulnerabilities/39500
Copyright	Copyright (C) 2008 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.