MGASA-2016-0289

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0289.html

Import Source

https://advisories.mageia.org/MGASA-2016-0289.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2016-0289

Related

Published

2016-08-31T15:32:33Z

Modified

2016-08-31T15:21:09Z

Summary

Updated postgresql packages fix security vulnerability

Details

It was discovered that certain SQL statements containing CASE/WHEN commands could crash the PostgreSQL server, or disclose a few bytes of server memory, potentially leading to arbitrary code execution (CVE-2016-5423).

It was found that PostgreSQL client programs mishandle database and role names containing newlines, carriage returns, double quotes, or backslashes. By crafting such an object name, roles with the CREATEDB or CREATEROLE option could escalate their privileges to root when a root user next executes maintenance with a vulnerable program. Vulnerable programs include pgdumpall, pgupgrade, vacuumdb, reindexdb, and clusterdb (CVE-2016-5424).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / postgresql9.3

Package

Name: postgresql9.3
Purl: pkg:rpm/mageia/postgresql9.3?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.3.14-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / postgresql9.4

Package

Name: postgresql9.4
Purl: pkg:rpm/mageia/postgresql9.4?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.9-1.mga5

Ecosystem specific

{
    "section": "core"
}