1378043 – (CVE-2016-7048) CVE-2016-7048 postgresql: Interactive installer downloads and executes software via plain HTTP

Bug 1378043 (CVE-2016-7048) - CVE-2016-7048 postgresql: Interactive installer downloads and executes software via plain HTTP

Summary: CVE-2016-7048 postgresql: Interactive installer downloads and executes softwa...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-7048
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1378044
TreeView+	depends on / blocked

Reported:	2016-09-21 11:39 UTC by Adam Mariš
Modified:	2021-02-17 03:18 UTC (History)
CC List:	30 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-09-21 21:02:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2016-09-21 11:39:46 UTC

The interactive installer used in EnterpriseDB-supplied PostgreSQL packages failed to secure its connection to the download server. Hence, an attacker able to impersonate the download server within a PostgreSQL installation's network scope can execute arbitrary code, as root, during initial installation or when the user directs the installed StackBuilder to acquire additional software. PostgreSQL binaries delivered other ways, such as installations from Yum or Apt packages, are unaffected.

Comment 1 Adam Mariš 2016-09-21 11:40:03 UTC

Acknowledgments:

Name: the PostgreSQL project

Note You need to log in before you can comment on or make changes to this bug.

bkearney
cpelland
dajohnso
databases-maint
dclarizi
devrim
gblomqui
gmccullo
gtanzill
hhorak
hhudgeon
jfrey
jhardy
jmlich83
jorton
jprause
jrafanie
jstanek
kseifried
obarenbo
pkajaba
pkubat
praiskup
roliveri
security-response-team
simaishi
taw
tgl
tkasparek
tlestach