SB2013040404 - Multiple vulnerabilities in PostgreSQL

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2013-1902)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X."

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-1903)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 incorrectly provides the superuser password to scripts related to "graphical installers for Linux and Mac OS X," which has unspecified impact and attack vectors.

Remediation

Install update from vendor's website.

References

• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.postgresql.org/about/news/1456/
• http://www.postgresql.org/support/security/