Quoting upstream PostgreSQL security page: http://www.postgresql.org/support/security.html The fix for issue CVE-2007-2138 (below) failed to include protection against misuse of RESET SESSION AUTHORIZATION. Affected versions: 8.4, 8.3, 8.2, 8.1, 8.0, 7.4 (note: this may affect previous 7.x versions too, but upstream does not support pre-7.4 versions any more) Fixed in versions: 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22, 7.4.26 Severity: C - A vulnerabilty that is exploitable for privilege escalation, but requiring a valid prior login. CVE-2007-2138 was previously tracked via bug #237680 and bug #237682, more info on the updates addressing this flaw is available at: https://www.redhat.com/security/data/cve/CVE-2007-2138.html
The above is incorrect --- the related prior CVE is CVE-2007-6600.
CVE-2007-6600 was bug #427127 https://www.redhat.com/security/data/cve/CVE-2007-6600.html Is upstream already correcting this?
(In reply to comment #2) > Is upstream already correcting this? http://archives.postgresql.org/pgsql-www/2009-09/msg00023.php
I'm told it is fixed, just hasn't propagated yet.
postgresql-8.3.8-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc11
postgresql-8.3.8-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc10
*** Bug 522822 has been marked as a duplicate of this bug. ***
postgresql-8.3.8-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
postgresql-8.3.8-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
MITRE's CVE-2009-3230 record: ----------------------------- The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230 http://archives.postgresql.org/pgsql-www/2009-09/msg00024.php http://www.postgresql.org/docs/8.3/static/release-8-3-8.html http://www.postgresql.org/support/security.html https://bugzilla.redhat.com/show_bug.cgi?id=522085 https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html http://www.securityfocus.com/bid/36314 http://secunia.com/advisories/36660 http://secunia.com/advisories/36695 http://secunia.com/advisories/36727 http://www.vupen.com/english/advisories/2009/2602
This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1461 https://rhn.redhat.com/errata/RHSA-2009-1461.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1484 https://rhn.redhat.com/errata/RHSA-2009-1484.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1485 https://rhn.redhat.com/errata/RHSA-2009-1485.html
This issue has been addressed in the following RHSAs: Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2009:1461 Red Hat Enterprise Linux version 4 (postgresql) RHSA-2009:1484 Red Hat Enterprise Linux version 5 (postgresql) RHSA-2009:1484 Red Hat Enterprise Linux version 3 (rh-postgresql) RHSA-2009:1485