FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

PostgreSQL -- multiple privilege issues

Affected packages
postgresql-server < 8.4.20
9.0.0 <= postgresql-server < 9.0.16
9.1.0 <= postgresql-server < 9.1.12
9.2.0 <= postgresql-server < 9.2.7
9.3.0 <= postgresql-server < 9.3.3

Details

VuXML ID 42d42090-9a4d-11e3-b029-08002798f6ff
Discovery 2014-02-20
Entry 2014-02-20

PostgreSQL Project reports:

This update fixes CVE-2014-0060, in which PostgreSQL did not properly enforce the WITH ADMIN OPTION permission for ROLE management. Before this fix, any member of a ROLE was able to grant others access to the same ROLE regardless if the member was given the WITH ADMIN OPTION permission. It also fixes multiple privilege escalation issues, including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065, and CVE-2014-0066. More information on these issues can be found on our security page and the security issue detail wiki page.

With this release, we are also alerting users to a known security hole that allows other users on the same machine to gain access to an operating system account while it is doing "make check": CVE-2014-0067. "Make check" is normally part of building PostgreSQL from source code. As it is not possible to fix this issue without causing significant issues to our testing infrastructure, a patch will be released separately and publicly. Until then, users are strongly advised not to run "make check" on machines where untrusted users have accounts.

References

CVE Name CVE-2014-0060
CVE Name CVE-2014-0061
CVE Name CVE-2014-0062
CVE Name CVE-2014-0063
CVE Name CVE-2014-0064
CVE Name CVE-2014-0065
CVE Name CVE-2014-0066
CVE Name CVE-2014-0067