PostgreSQL class C vulnerability in core server, ECPG: CVE-2014-0063

PostgreSQL class C vulnerability in core server, ECPG: CVE-2014-0063

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:P/I:P/A:P)	March 31, 2014	April 01, 2014	April 01, 2014

Description

Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.

References

• CVE-2014-0063
• DEBIAN: http://www.debian.org/security/dsa-2864
• DEBIAN: http://www.debian.org/security/dsa-2865
• DISA_SEVERITY: http://iase.disa.mil/stigs/iavm-cve.html
• DISA_VMSKEY: http://iase.disa.mil/stigs/iavm-cve.html
• IAVM: http://iase.disa.mil/stigs/iavm-cve.html

Solution

• Postgres Postgres >= 8.4 and < 8.4.20

  Upgrade to PostgreSQL version 8.4.20

  Download and apply the upgrade from: http://www.postgresql.org/download/

• Postgres Postgres >= 9.0 and < 9.0.16

  Upgrade to PostgreSQL version 9.0.16

  Download and apply the upgrade from: http://www.postgresql.org/download/

• Postgres Postgres >= 9.1 and < 9.1.12

  Upgrade to PostgreSQL version 9.1.12

  Download and apply the upgrade from: http://www.postgresql.org/download/

• Postgres Postgres >= 9.2 and < 9.2.7

  Upgrade to PostgreSQL version 9.2.7

  Download and apply the upgrade from: http://www.postgresql.org/download/

• Postgres Postgres >= 9.3 and < 9.3.3

  Upgrade to PostgreSQL version 9.3.3

  Download and apply the upgrade from: http://www.postgresql.org/download/

Related Vulnerabilities

• DSA-2864-1 postgresql-8.4 -- several vulnerabilities
• DSA-2865-1 postgresql-9.1 -- several vulnerabilities
• CESA-2014:0211: postgresql84 and postgresql security update
• CESA-2014:0221: postgresql92-postgresql security update
• CESA-2014:0249: postgresql security update
• ELSA-2014-0211 Important: Oracle Linux 6 postgresql84 and postgresql security update
• ELSA-2014-0249 Important: Oracle Linux 5 postgresql security update
• RHSA-2014:0211: postgresql84 and postgresql security update
• RHSA-2014:0221: postgresql92-postgresql security update
• RHSA-2014:0249: postgresql security update
• SUSE Linux Security Advisory: CVE-2014-0063