[SECURITY] [DLA-1271-1] postgresql-9.1 security update

2018-02-0719:28:02

lists.debian.org

3.3 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:P/A:N

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.9%

JSON

Package : postgresql-9.1
Version : 9.1.24lts2-0+deb7u2
CVE ID : CVE-2018-1053

A vulnerabilities has been found in the PostgreSQL database system:

CVE-2018-1053

Tom Lane discovered that pg_upgrade, a tool used to upgrade
PostgreSQL database clusters, creates temporary files containing
password hashes that are world-readable.

For Debian 7 "Wheezy", this problem has been fixed in version
9.1.24lts2-0+deb7u2.

We recommend that you upgrade your postgresql-9.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian9i386postgresql-pltcl-9.6< 9.6.7-0+deb9u1postgresql-pltcl-9.6_9.6.7-0+deb9u1_i386.deb
Debian9mips64ellibpq-dev< 9.6.7-0+deb9u1libpq-dev_9.6.7-0+deb9u1_mips64el.deb
Debian9amd64postgresql-pltcl-9.6< 9.6.7-0+deb9u1postgresql-pltcl-9.6_9.6.7-0+deb9u1_amd64.deb
Debian9ppc64ellibpq5< 9.6.7-0+deb9u1libpq5_9.6.7-0+deb9u1_ppc64el.deb
Debian9mipselpostgresql-pltcl-9.6< 9.6.7-0+deb9u1postgresql-pltcl-9.6_9.6.7-0+deb9u1_mipsel.deb
Debian9mipspostgresql-server-dev-9.6< 9.6.7-0+deb9u1postgresql-server-dev-9.6_9.6.7-0+deb9u1_mips.deb
Debian9arm64libpgtypes3< 9.6.7-0+deb9u1libpgtypes3_9.6.7-0+deb9u1_arm64.deb
Debian9allpostgresql-9.6< 9.6.7-0+deb9u1postgresql-9.6_9.6.7-0+deb9u1_all.deb
Debian8armelpostgresql-contrib-9.4< 9.4.16-0+deb8u1postgresql-contrib-9.4_9.4.16-0+deb8u1_armel.deb
Debian8armhfpostgresql-9.4-dbg< 9.4.16-0+deb8u1postgresql-9.4-dbg_9.4.16-0+deb8u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	i386	postgresql-pltcl-9.6	< 9.6.7-0+deb9u1	postgresql-pltcl-9.6_9.6.7-0+deb9u1_i386.deb
Debian	9	mips64el	libpq-dev	< 9.6.7-0+deb9u1	libpq-dev_9.6.7-0+deb9u1_mips64el.deb
Debian	9	amd64	postgresql-pltcl-9.6	< 9.6.7-0+deb9u1	postgresql-pltcl-9.6_9.6.7-0+deb9u1_amd64.deb
Debian	9	ppc64el	libpq5	< 9.6.7-0+deb9u1	libpq5_9.6.7-0+deb9u1_ppc64el.deb
Debian	9	mipsel	postgresql-pltcl-9.6	< 9.6.7-0+deb9u1	postgresql-pltcl-9.6_9.6.7-0+deb9u1_mipsel.deb
Debian	9	mips	postgresql-server-dev-9.6	< 9.6.7-0+deb9u1	postgresql-server-dev-9.6_9.6.7-0+deb9u1_mips.deb
Debian	9	arm64	libpgtypes3	< 9.6.7-0+deb9u1	libpgtypes3_9.6.7-0+deb9u1_arm64.deb
Debian	9	all	postgresql-9.6	< 9.6.7-0+deb9u1	postgresql-9.6_9.6.7-0+deb9u1_all.deb
Debian	8	armel	postgresql-contrib-9.4	< 9.4.16-0+deb8u1	postgresql-contrib-9.4_9.4.16-0+deb8u1_armel.deb
Debian	8	armhf	postgresql-9.4-dbg	< 9.4.16-0+deb8u1	postgresql-9.4-dbg_9.4.16-0+deb8u1_armhf.deb