CVE-2012-0866
Published: 28 February 2012
CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
postgresql-8.2 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
postgresql-8.3 Launchpad, Ubuntu, Debian |
hardy |
Released
(8.3.18-0ubuntu0.8.04)
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Released
(8.3.18)
|
|
|
postgresql-8.4 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Released
(8.4.11-0ubuntu0.10.04)
|
|
| maverick |
Released
(8.4.11-0ubuntu0.10.10)
|
|
| natty |
Released
(8.4.11-0ubuntu0.11.04)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Not vulnerable
(8.4.11-1)
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Released
(8.4.11)
|
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Released
(9.1.3-0ubuntu0.11.10)
|
|
| precise |
Released
(9.1.3-1)
|
|
| quantal |
Released
(9.1.3-1)
|
|
| raring |
Released
(9.1.3-1)
|
|
| upstream |
Released
(9.1.3)
|