Detections
Analytics
Debian DLA-19-1 : postgresql-8.4 update
medium Nessus Plugin ID 82167
Language:
Synopsis
The remote Debian host is missing a security update.Description
New upstream minor release. Users should upgrade to this version at their next scheduled maintenance window.Noteworthy change :
Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp.
8.4.22 marks the end of life of the PostgreSQL 8.4 branch. No further releases will be made by the PostgreSQL Global Development Group.
Users of PostgreSQL 8.4 should look into upgrading to a newer PostgreSQL release. Options are :
- Upgrading to Debian 7 (Wheezy), providing postgresql-9.1.
- The use of the apt.postgresql.org repository, providing packages for all active PostgreSQL branches (9.0 up to 9.4 at the time of writing).
See https://wiki.postgresql.org/wiki/Apt for more information about the repository.
A helper script to activate the repository is provided in /usr/share/doc/postgresql-8.4/examples/apt.postgresql.or g.sh.
- An LTS version of 8.4 is in planning that will cover the lifetime of squeeze-lts. Updates will probably made on a best-effort basis. Users can take advantage of this, but should still consider upgrading to newer PostgreSQL versions over the next months.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Upgrade the affected packages.See Also
https://lists.debian.org/debian-lts-announce/2014/07/msg00008.html
https://packages.debian.org/source/squeeze-lts/postgresql-8.4
Plugin Details
Severity: Medium
ID: 82167
File Name: debian_DLA-19.nasl
Version: 1.6
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 3/26/2015
Updated: 1/11/2021
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 4.6
Temporal Score: 3.4
Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:postgresql-contrib-8.4, p-cpe:/a:debian:debian_linux:postgresql-plpython-8.4, p-cpe:/a:debian:debian_linux:postgresql-plperl-8.4, p-cpe:/a:debian:debian_linux:libpq5, p-cpe:/a:debian:debian_linux:postgresql-8.4, p-cpe:/a:debian:debian_linux:postgresql-doc-8.4, p-cpe:/a:debian:debian_linux:postgresql-server-dev-8.4, p-cpe:/a:debian:debian_linux:postgresql-doc, p-cpe:/a:debian:debian_linux:postgresql-client, cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:libpq-dev, p-cpe:/a:debian:debian_linux:libpgtypes3, p-cpe:/a:debian:debian_linux:libecpg-compat3, p-cpe:/a:debian:debian_linux:libecpg6, p-cpe:/a:debian:debian_linux:libecpg-dev, p-cpe:/a:debian:debian_linux:postgresql-pltcl-8.4, p-cpe:/a:debian:debian_linux:postgresql, p-cpe:/a:debian:debian_linux:postgresql-client-8.4, p-cpe:/a:debian:debian_linux:postgresql-contrib
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 7/29/2014
Reference Information
CVE: CVE-2014-0067
BID: 65721