CVE-2009-0922
Published: 17 March 2009
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
Priority
Medium
Status
| Package | Release | Status |
|---|---|---|
|
postgresql-7.4 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(reached end-of-life)
|
| gutsy |
Does not exist
|
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
postgresql-8.0 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(reached end-of-life)
|
| gutsy |
Does not exist
|
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Released
(8.0.21)
|
|
|
postgresql-8.1 Launchpad, Ubuntu, Debian |
dapper |
Released
(8.1.17-0ubuntu0.6.06.1)
|
| gutsy |
Needs triage
(reached end-of-life)
|
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Released
(8.1.17)
|
|
|
postgresql-8.2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| gutsy |
Needs triage
(reached end-of-life)
|
|
| hardy |
Ignored
(reached end-of-life)
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Released
(8.2.13)
|
|
|
postgresql-8.3 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| gutsy |
Does not exist
|
|
| hardy |
Released
(8.3.7-0ubuntu8.04.1)
|
|
| intrepid |
Released
(8.3.7-0ubuntu8.10.1)
|
|
| jaunty |
Not vulnerable
(8.3.7-1)
|
|
| karmic |
Not vulnerable
(8.3.7-1)
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Released
(8.3.7)
|
Notes
| Author | Note |
|---|---|
| mdeslaur | the denial of service is only temporary, so impact isn't great. (should this be changed to "low priority"?) upstream patch replaces core dump due to stack overflow with core dump due to abort(), so doesn't fix temporary DoS see http://archives.postgresql.org//pgsql-bugs/2009-02/msg00190.php |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0922
- https://ubuntu.com/security/notices/USN-753-1
- NVD
- Launchpad
- Debian