- Fix insecure parsing of server command-line switches.
A connection request containing a database name that begins with
"-" could be crafted to damage or destroy files within the server's
data directory, even if the request is eventually rejected. [CVE-2013-1899]
Critical, affects 9.1 only.
- Reset OpenSSL randomness state in each postmaster child process.
This avoids a scenario wherein random numbers generated by "contrib/pgcrypto" functions might be relatively easy for another
database user to guess. The risk is only significant when the
postmaster is configured with ssl = on but most connections don't
use SSL encryption. [CVE-2013-1900]
Moderate, affects all versions
- Make REPLICATION privilege checks test current user not authenticated user.
An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering
with creation of routine backups. [CVE-2013-1901]
Vulnerability overview:
- Fix insecure parsing of server command-line switches.
[CVE-2013- 1899]
A connection request containing a database name that begins with
"-" could be crafted to damage or destroy files within the server's
data directory, even if the request is eventually rejected.
Critical, affects 9.1 only.
- Reset OpenSSL randomness state in each postmaster child process.
"contrib/ pgcrypto" functions might be relatively easy for another
This avoids a scenario wherein random numbers generated by
database user to guess. The risk is only significant when the
postmaster is configured with ssl = on but most connections don't
use SSL encryption. [CVE-2013-1900]
Moderate, affects all versions
- Make REPLICATION privilege checks test current user not
authenticated user.
pg_start_ backup( ) or pg_stop_backup(), thus possibly interfering
An unprivileged database user could exploit this mistake to call
with creation of routine backups. [CVE-2013-1901]
Moderate, affects 9.1 only