Postgresql Patches Critical Vulnerability

Published: 2013-04-04
Last Updated: 2013-04-05 13:38:20 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

The Postgresql team announced earlier today the release of patches for its popular open source database. The description of the vulnerability sounds quite scary. An attacker may cause corruption to the database, or if the attacker is able to log in, the attacker may then escalate privileges and in some cases execute arbitrary code.

The vulnerability is triggered by connecting to the database and specifying a database name that starts with a "-". This database does not have to exist for the vulnerability to be triggered. The database name starting with a "-" is then parsed as a command line argument and can be used to corrupt the database. 

There was some controversy about how the bug was handled by the postgresql team. But overall, they appear to have done a good job in patching this quickly. For the last few days, the postgresql source code repository was not viewable to prevent an early release of the vulnerability.

Of course, nobody should allow direct connections to the database from the Internet, but this bug may be exploitable after for example compromising a web server with a postgresql backend (a simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used).

So in short: patch 

References:

http://seclists.org/bugtraq/2013/Apr/26
http://www.postgresql.org/support/security/faq/2013-04-04/

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: postgresql
2 comment(s)

Microsoft April Patch Tuesday Advance Notification

Published: 2013-04-04
Last Updated: 2013-04-04 22:56:41 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Microsoft is expecting to release a total of 9 bulletins, 2 of which are critical, and the rest important. One of the critical bulletins affects Windows and Internet Explorer, so we expect the usual Internet Explorer cumulative patch, maybe fixing some of the "pwn2own" vulnerabilities discovered during CanSecWest.

Otherwise it is a lot of "the usual" with Windows, Office and "Server Software" (Sharepoint and Groove) patches. The one that sticks out a bit is the bulletin fixing "Security Software". It will patch a vulnerability in Windows Defender on Windows 8 and RT. 

So overall an average patch Tuesday. 

http://technet.microsoft.com/en-us/security/bulletin/ms13-apr

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: advance notification microsoft patch tuesday
0 comment(s)
April 2013 OUCH! - Protecting Your Kids Online http://www.securingthehuman.org/resources/newsletters/ouch/2013#april2013
ISC StormCast for Thursday, April 4th 2013 http://isc.sans.edu/podcastdetail.html?id=3226

Comments

Login here to join the discussion.


Diary Archives