Bug 593870 – CVE-2010-1975 postgresql: improper privilege check during certain RESET ALL operations

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 593870 - (CVE-2010-1975) CVE-2010-1975 postgresql: improper privilege check during certain RESET ALL operations

Summary:	CVE-2010-1975 postgresql: improper privilege check during certain RESET ALL o...

Status:	CLOSED ERRATA

Aliases:	CVE-2010-1975

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20100517,reported=2...
Keywords:	Security

Depends On:	639928
Blocks:
	Show dependency tree / graph

Reported:	2010-05-19 18:01 EDT by Vincent Danen
Modified:	2018-08-15 17:47 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-10-05 04:12:12 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Vincent Danen 2010-05-19 18:01:26 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1975 to
the following vulnerability:

Name: CVE-2010-1975
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1975
Assigned: 20100519
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-7-4-29.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-0-25.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-1-21.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-2-17.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-3-11.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-4-4.html

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not
properly check privileges during certain RESET ALL operations, which
allows remote authenticated users to remove arbitrary parameter
settings via a (1) ALTER USER or (2) ALTER DATABASE statement.

Comment 1 Vincent Danen 2010-05-19 18:04:08 EDT

Statement:

This issue has been addressed in Red Hat Enterprise Linux 4 via
https://rhn.redhat.com/errata/RHSA-2010-0428.html

This issue has been addressed in Red Hat Enterprise Linux 5 via
https://rhn.redhat.com/errata/RHSA-2010-0429.html and
https://rhn.redhat.com/errata/RHSA-2010-0430.html

There is not plan to address this issue in the PostgreSQL packages as shipped with Red Hat Enterprise Linux 3.

Comment 4 Jan Lieskovsky 2010-05-20 04:22:00 EDT

Upstream commit:

  [1] http://git.postgresql.org/gitweb?p=postgresql.git;a=commit;h=a9dec915c5588f4ce8e7ef94fabe508c88e4a350

Note You need to log in before you can comment on or make changes to this bug.