ID CVE-2013-1900
Summary PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." Per http://www.ubuntu.com/usn/USN-1789-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS Ubuntu 8.04 LTS"
References
Vulnerable Configurations
  • cpe:2.3:a:postgresql:postgresql:9.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.1.8:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.10:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.11:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.11:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.12:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.12:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.13:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.13:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.14:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.14:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.15:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.15:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4.16:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4.16:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
CVSS
Base: 8.5 (as of 20-10-2017 - 01:29)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:S/C:C/I:C/A:C
redhat via4
advisories
bugzilla
id 929255
title CVE-2013-1900 postgresql: Improper randomization of pgcrypto functions (requiring random seed)
oval
OR
  • AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment postgresql is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475005
        • comment postgresql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908006
      • AND
        • comment postgresql-contrib is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475019
        • comment postgresql-contrib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908014
      • AND
        • comment postgresql-devel is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475023
        • comment postgresql-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908010
      • AND
        • comment postgresql-docs is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475009
        • comment postgresql-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908016
      • AND
        • comment postgresql-libs is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475021
        • comment postgresql-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908024
      • AND
        • comment postgresql-plperl is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475017
        • comment postgresql-plperl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908022
      • AND
        • comment postgresql-plpython is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475013
        • comment postgresql-plpython is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908018
      • AND
        • comment postgresql-pltcl is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475007
        • comment postgresql-pltcl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908020
      • AND
        • comment postgresql-server is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475015
        • comment postgresql-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908012
      • AND
        • comment postgresql-test is earlier than 0:8.4.18-1.el6_4
          oval oval:com.redhat.rhsa:tst:20131475011
        • comment postgresql-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908008
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment postgresql84 is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475026
        • comment postgresql84 is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430003
      • AND
        • comment postgresql84-contrib is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475048
        • comment postgresql84-contrib is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430023
      • AND
        • comment postgresql84-devel is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475036
        • comment postgresql84-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430017
      • AND
        • comment postgresql84-docs is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475038
        • comment postgresql84-docs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430011
      • AND
        • comment postgresql84-libs is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475030
        • comment postgresql84-libs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430013
      • AND
        • comment postgresql84-plperl is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475046
        • comment postgresql84-plperl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430005
      • AND
        • comment postgresql84-plpython is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475040
        • comment postgresql84-plpython is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430019
      • AND
        • comment postgresql84-pltcl is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475028
        • comment postgresql84-pltcl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430015
      • AND
        • comment postgresql84-python is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475034
        • comment postgresql84-python is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430025
      • AND
        • comment postgresql84-server is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475042
        • comment postgresql84-server is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430007
      • AND
        • comment postgresql84-tcl is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475032
        • comment postgresql84-tcl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430009
      • AND
        • comment postgresql84-test is earlier than 0:8.4.18-1.el5_10
          oval oval:com.redhat.rhsa:tst:20131475044
        • comment postgresql84-test is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100430021
rhsa
id RHSA-2013:1475
released 2013-10-29
severity Moderate
title RHSA-2013:1475: postgresql and postgresql84 security update (Moderate)
rpms
  • postgresql-0:8.4.18-1.el6_4
  • postgresql-contrib-0:8.4.18-1.el6_4
  • postgresql-devel-0:8.4.18-1.el6_4
  • postgresql-docs-0:8.4.18-1.el6_4
  • postgresql-libs-0:8.4.18-1.el6_4
  • postgresql-plperl-0:8.4.18-1.el6_4
  • postgresql-plpython-0:8.4.18-1.el6_4
  • postgresql-pltcl-0:8.4.18-1.el6_4
  • postgresql-server-0:8.4.18-1.el6_4
  • postgresql-test-0:8.4.18-1.el6_4
  • postgresql84-0:8.4.18-1.el5_10
  • postgresql84-contrib-0:8.4.18-1.el5_10
  • postgresql84-devel-0:8.4.18-1.el5_10
  • postgresql84-docs-0:8.4.18-1.el5_10
  • postgresql84-libs-0:8.4.18-1.el5_10
  • postgresql84-plperl-0:8.4.18-1.el5_10
  • postgresql84-plpython-0:8.4.18-1.el5_10
  • postgresql84-pltcl-0:8.4.18-1.el5_10
  • postgresql84-python-0:8.4.18-1.el5_10
  • postgresql84-server-0:8.4.18-1.el5_10
  • postgresql84-tcl-0:8.4.18-1.el5_10
  • postgresql84-test-0:8.4.18-1.el5_10
refmap via4
apple
  • APPLE-SA-2013-09-12-1
  • APPLE-SA-2013-09-17-1
confirm
debian
  • DSA-2657
  • DSA-2658
fedora
  • FEDORA-2013-5000
  • FEDORA-2013-6148
mandriva MDVSA-2013:142
suse
  • SUSE-SU-2013:0633
  • openSUSE-SU-2013:0627
  • openSUSE-SU-2013:0628
  • openSUSE-SU-2013:0635
ubuntu USN-1789-1
Last major update 20-10-2017 - 01:29
Published 04-04-2013 - 17:55
Back to Top