Critical vulnerabilities in PostgreSQL, BIND, Linux kernel and Asterisk

Posted: March 29, 2013 in Vulnerability News
Tags: , , , ,

Critical vulnerabilities

Critical vulnerabilities

Published a notice of detected critical vulnerability in the database PostgreSQL.

No details and data on the nature of the problem is not reported prior to release official updates that are scheduled for April 4. Apparently the vulnerability is very dangerous, because the first time in the history of the project repository access will be limited, and the updates will be prepared and tested for release in high secrecy in private committers to avoid premature leak. PostgreSQL users should prepare for the April 4 unplanned upgrade their systems. Issue affects all supported editions of PostgreSQL.

Additionally, you can mark Resolve three dangerous vulnerabilities:

– In correcting issues DNS-server BIND 9.9.2-P2 and 9.8.4-P2 eliminated vulnerability (CVE-2013-2266), allows you to disable recursive and authoritative DNS-servers by sending a specially malformed requests. The problem is caused by a memory leak and is manifested in the exhaustion of all available memory to the named process. The problem affects only branch BIND 9.7, 9.8 and 9.9. Users branches 9.7, which is no longer supported, to solve the problem, rebuild BIND without the support of regular expressions (find a file “# define HAVE_REGEX_H 1” and change this line to “# undef HAVE_REGEX_H”). Problem is exacerbated by a simple method of operation.

– In the update of the kernel Linux 3.8.5, 3.4.38, 3.2.42 and 3.0.71 Fixes a vulnerability (CVE-2013-0913) in the drm-i915 driver for video card Intel. Which can be exploited to write beyond the pile and initiate execution of code with kernel privileges. The problem has been demonstrated in the competition Pwnium, in which was prepared in part a working exploit for the attack on ChromeOS.

– In telephony platform Asterisk 11.2.2 fixes three vulnerabilities that detect the presence of user names, make DoS-attack by sending a special HTTP POST-request and execute code on the server through the transfer of trained resources in the title attribute SDP.

Link:

Upcoming PostgreSQL Security Release: April 4, 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s