Debian DSA-1087-1 : postgresql - programming error

high Nessus Plugin ID 22629

Synopsis

The remote Debian host is missing a security-related update.

Description

Several encoding problems have been discovered in PostgreSQL, a popular SQL database. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2006-2313 Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data which could allow an attacker to inject arbitrary SQL commands.

- CVE-2006-2314 A similar problem exists in client-side encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which contain valid multibyte characters that end with the backslash character. An attacker could supply a specially crafted byte sequence that is able to inject arbitrary SQL commands.

This issue does not affect you if you only use single-byte (like SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like UTF-8) encodings.

psycopg and python-pgsql use the old encoding for binary data and may have to be updated.

The old stable distribution (woody) is affected by these problems but we're unable to correct the package.

Solution

Upgrade the postgresql packages.

For the stable distribution (sarge) these problems have been fixed in version 7.4.7-6sarge2.

See Also

https://security-tracker.debian.org/tracker/CVE-2006-2313

https://security-tracker.debian.org/tracker/CVE-2006-2314

http://www.debian.org/security/2006/dsa-1087

Plugin Details

Severity: High

ID: 22629

File Name: debian_DSA-1087.nasl

Version: 1.16

Type: local

Agent: unix

Published: 10/14/2006

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:postgresql, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 6/3/2006

Vulnerability Publication Date: 5/22/2006

Reference Information

CVE: CVE-2006-2313, CVE-2006-2314

DSA: 1087