FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2012-3488

This CVE name corresponds to:

Entered	Topic
2012-08-17	databases/postgresql*-server -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2012-3488 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2012-3488
Phase	Assigned(20120614)

Description

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.

References

Source	Reference
CONFIRM	http://www.postgresql.org/about/news/1407/
CONFIRM	http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
CONFIRM	http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
CONFIRM	http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
CONFIRM	http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
CONFIRM	http://www.postgresql.org/support/security/
CONFIRM	https://bugzilla.redhat.com/show_bug.cgi?id=849172
CONFIRM	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
APPLE	APPLE-SA-2013-03-14-1
DEBIAN	DSA-2534
MANDRIVA	MDVSA-2012:139
REDHAT	RHSA-2012:1263
REDHAT	RHSA-2012:1264
SUSE	openSUSE-SU-2012:1299
SUSE	openSUSE-SU-2012:1251
SUSE	openSUSE-SU-2012:1288
UBUNTU	USN-1542-1
BID	55072
SECUNIA	50636
SECUNIA	50635
SECUNIA	50718
SECUNIA	50946
SECUNIA	50859