rpm package
opensuse/postgresql95&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/postgresql95&distro=openSUSE%20Tumbleweed
Vulnerabilities (37)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2013-1900 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Apr 4, 2013 | PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto fu | ||
| CVE-2013-1899 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Apr 4, 2013 | Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code | ||
| CVE-2013-0255 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Feb 13, 2013 | PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticate | ||
| CVE-2012-3489 | Med | 6.5 | < 9.5.4-1.2 | 9.5.4-1.2 | Oct 3, 2012 | The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file | |
| CVE-2012-3488 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Oct 3, 2012 | The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger out | ||
| CVE-2012-2655 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Jul 18, 2012 | PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler. | ||
| CVE-2012-0868 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Jul 18, 2012 | CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are i | ||
| CVE-2012-0867 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Jul 18, 2012 | PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters. | ||
| CVE-2012-0866 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Jul 18, 2012 | CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted | ||
| CVE-2012-2143 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Jul 5, 2012 | The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obt | ||
| CVE-2010-3433 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Oct 6, 2010 | The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same ses | ||
| CVE-2010-1170 | — | < 9.5.4-1.2 | 9.5.4-1.2 | May 19, 2010 | The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, | ||
| CVE-2010-1169 | — | < 9.5.4-1.2 | 9.5.4-1.2 | May 19, 2010 | PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to | ||
| CVE-2009-4136 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Dec 15, 2009 | PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated | ||
| CVE-2009-4034 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Dec 15, 2009 | PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows m | ||
| CVE-2007-6600 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Jan 9, 2008 | PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION | ||
| CVE-2007-4772 | — | < 9.5.4-1.2 | 9.5.4-1.2 | Jan 9, 2008 | The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression. |
- CVE-2013-1900Apr 4, 2013affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto fu
- CVE-2013-1899Apr 4, 2013affected < 9.5.4-1.2fixed 9.5.4-1.2
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code
- CVE-2013-0255Feb 13, 2013affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticate
- affected < 9.5.4-1.2fixed 9.5.4-1.2
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file
- CVE-2012-3488Oct 3, 2012affected < 9.5.4-1.2fixed 9.5.4-1.2
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger out
- CVE-2012-2655Jul 18, 2012affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.
- CVE-2012-0868Jul 18, 2012affected < 9.5.4-1.2fixed 9.5.4-1.2
CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are i
- CVE-2012-0867Jul 18, 2012affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
- CVE-2012-0866Jul 18, 2012affected < 9.5.4-1.2fixed 9.5.4-1.2
CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted
- CVE-2012-2143Jul 5, 2012affected < 9.5.4-1.2fixed 9.5.4-1.2
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obt
- CVE-2010-3433Oct 6, 2010affected < 9.5.4-1.2fixed 9.5.4-1.2
The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same ses
- CVE-2010-1170May 19, 2010affected < 9.5.4-1.2fixed 9.5.4-1.2
The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions,
- CVE-2010-1169May 19, 2010affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to
- CVE-2009-4136Dec 15, 2009affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated
- CVE-2009-4034Dec 15, 2009affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows m
- CVE-2007-6600Jan 9, 2008affected < 9.5.4-1.2fixed 9.5.4-1.2
PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION
- CVE-2007-4772Jan 9, 2008affected < 9.5.4-1.2fixed 9.5.4-1.2
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.
Page 2 of 2