593870 – (CVE-2010-1975) CVE-2010-1975 postgresql: improper privilege check during certain RESET ALL operations

Bug 593870 (CVE-2010-1975) - CVE-2010-1975 postgresql: improper privilege check during certain RESET ALL operations

Summary: CVE-2010-1975 postgresql: improper privilege check during certain RESET ALL o...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-1975
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	639928
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-19 22:01 UTC by Vincent Danen
Modified:	2021-11-04 15:31 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-10-05 08:12:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2010-05-19 22:01:26 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1975 to
the following vulnerability:

Name: CVE-2010-1975
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1975
Assigned: 20100519
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-7-4-29.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-0-25.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-1-21.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-2-17.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-3-11.html
Reference: CONFIRM: http://www.postgresql.org/docs/current/static/release-8-4-4.html

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not
properly check privileges during certain RESET ALL operations, which
allows remote authenticated users to remove arbitrary parameter
settings via a (1) ALTER USER or (2) ALTER DATABASE statement.

Comment 1 Vincent Danen 2010-05-19 22:04:08 UTC

Statement:

This issue has been addressed in Red Hat Enterprise Linux 4 via
https://rhn.redhat.com/errata/RHSA-2010-0428.html

This issue has been addressed in Red Hat Enterprise Linux 5 via
https://rhn.redhat.com/errata/RHSA-2010-0429.html and
https://rhn.redhat.com/errata/RHSA-2010-0430.html

There is not plan to address this issue in the PostgreSQL packages as shipped with Red Hat Enterprise Linux 3.

Comment 4 Jan Lieskovsky 2010-05-20 08:22:00 UTC

Upstream commit:

  [1] http://git.postgresql.org/gitweb?p=postgresql.git;a=commit;h=a9dec915c5588f4ce8e7ef94fabe508c88e4a350

Note You need to log in before you can comment on or make changes to this bug.