Postgresql Patches Critical Vulnerability
The Postgresql team announced earlier today the release of patches for its popular open source database. The description of the vulnerability sounds quite scary. An attacker may cause corruption to the database, or if the attacker is able to log in, the attacker may then escalate privileges and in some cases execute arbitrary code.
The vulnerability is triggered by connecting to the database and specifying a database name that starts with a "-". This database does not have to exist for the vulnerability to be triggered. The database name starting with a "-" is then parsed as a command line argument and can be used to corrupt the database.
There was some controversy about how the bug was handled by the postgresql team. But overall, they appear to have done a good job in patching this quickly. For the last few days, the postgresql source code repository was not viewable to prevent an early release of the vulnerability.
Of course, nobody should allow direct connections to the database from the Internet, but this bug may be exploitable after for example compromising a web server with a postgresql backend (a simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used).
So in short: patch
References:
http://seclists.org/bugtraq/2013/Apr/26
http://www.postgresql.org/support/security/faq/2013-04-04/
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Microsoft April Patch Tuesday Advance Notification
Microsoft is expecting to release a total of 9 bulletins, 2 of which are critical, and the rest important. One of the critical bulletins affects Windows and Internet Explorer, so we expect the usual Internet Explorer cumulative patch, maybe fixing some of the "pwn2own" vulnerabilities discovered during CanSecWest.
Otherwise it is a lot of "the usual" with Windows, Office and "Server Software" (Sharepoint and Groove) patches. The one that sticks out a bit is the bulletin fixing "Security Software". It will patch a vulnerability in Windows Defender on Windows 8 and RT.
So overall an average patch Tuesday.
http://technet.microsoft.com/en-us/security/bulletin/ms13-apr
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago