Bug 864845 (CVE-2014-0060) - VUL-0: CVE-2014-0060: postgresql: SET ROLE without ADMIN OPTION allows adding and removing group
Summary: VUL-0: CVE-2014-0060: postgresql: SET ROLE without ADMIN OPTION allows adding...
Status: RESOLVED FIXED
Alias: CVE-2014-0060
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96410/
Whiteboard: maint:running:60006:moderate maint:re...
Keywords:
Depends on:
Blocks: 864856
  Show dependency treegraph
 
Reported: 2014-02-20 10:51 UTC by Victor Pereira
Modified: 2019-05-01 16:13 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-20 10:51:53 UTC 
CVE-2014-0060

Previously, granting an SQL role without ADMIN OPTION allowed the grantee to remove other users from the granted role.

Acknowledgements:

thanks to the PostgreSQL project for reporting this issue. Upstream acknowledges Noah Misch and Jonas Sundman as the original reporters.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0060
https://bugzilla.redhat.com/show_bug.cgi?id=1065219
Comment 1 Swamp Workflow Management 2014-02-20 23:01:16 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2014-03-08 14:04:56 UTC 
openSUSE-SU-2014:0345-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 864845,864846,864847,864850,864851,864852,864853
CVE References: CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063,CVE-2014-0064,CVE-2014-0065,CVE-2014-0066,CVE-2014-0067
Sources used:
openSUSE 13.1 (src):    postgresql92-9.2.7-4.4.1, postgresql92-libs-9.2.7-4.4.1
openSUSE 12.3 (src):    postgresql92-9.2.7-1.12.1, postgresql92-libs-9.2.7-1.12.1
Comment 5 Swamp Workflow Management 2014-03-13 18:04:47 UTC 
openSUSE-SU-2014:0368-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 864845,864846,864847,864850,864851,864852,864853
CVE References: CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063,CVE-2014-0064,CVE-2014-0065,CVE-2014-0066,CVE-2014-0067
Sources used:
openSUSE 11.4 (src):    postgresql-9.0.16-43.1, postgresql-libs-9.0.16-43.1
Comment 6 Swamp Workflow Management 2014-03-28 13:04:46 UTC 
Update released for: libecpg6, libpq5, postgresql91, postgresql91-contrib, postgresql91-debuginfo, postgresql91-debugsource, postgresql91-devel, postgresql91-docs, postgresql91-libs, postgresql91-libs-debuginfo, postgresql91-libs-debugsource, postgresql91-plperl, postgresql91-plpython, postgresql91-pltcl, postgresql91-server, postgresql91-test
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 7 Swamp Workflow Management 2014-03-28 15:49:30 UTC 
Update released for: libecpg6, libecpg6-32bit, libecpg6-64bit, libecpg6-x86, libpq5, libpq5-32bit, libpq5-64bit, libpq5-x86, postgresql91, postgresql91-contrib, postgresql91-debuginfo, postgresql91-debugsource, postgresql91-devel, postgresql91-docs, postgresql91-libs, postgresql91-libs-debuginfo, postgresql91-libs-debugsource, postgresql91-plperl, postgresql91-plpython, postgresql91-pltcl, postgresql91-server, postgresql91-test
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 8 Swamp Workflow Management 2014-03-28 19:04:21 UTC 
SUSE-SU-2014:0461-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 864845,864846,864847,864850,864851,864852,864853
CVE References: CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063,CVE-2014-0064,CVE-2014-0065,CVE-2014-0066
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    postgresql91-libs-9.1.12-0.3.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    postgresql91-9.1.12-0.3.1, postgresql91-libs-9.1.12-0.3.1
SUSE Linux Enterprise Server 11 SP3 (src):    postgresql91-9.1.12-0.3.1, postgresql91-libs-9.1.12-0.3.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    postgresql91-9.1.12-0.3.1, postgresql91-libs-9.1.12-0.3.1
Comment 9 Victor Pereira 2014-07-30 12:28:27 UTC 
fixed and released