966435 – (CVE-2016-0766) VUL-0: CVE-2016-0766: postgresql: privilege escalation issue for users of PL/Java

Bug 966435 (CVE-2016-0766) - VUL-0: CVE-2016-0766: postgresql: privilege escalation issue for users of PL/Java

Summary: VUL-0: CVE-2016-0766: postgresql: privilege escalation issue for users of PL/...

Status:	RESOLVED FIXED

Alias:	CVE-2016-0766

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/161843/
Whiteboard:	CVSSv2:RedHat:CVE-2016-0773:6.8:(AV:N...
Keywords:

Depends on:
Blocks:	978323
	Show dependency tree / graph

Clone This Bug

Reported:	2016-02-12 09:33 UTC by Alexander Bergmann
Modified:	2018-11-07 16:28 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2016-02-12 09:33:44 UTC

http://www.postgresql.org/about/news/1644/
http://www.postgresql.org/docs/current/static/release-9-5-1.html

Release Notes 9.5.1:

Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)

This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0766
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0766.html

Comment 1 Reinhard Max 2016-02-12 09:44:20 UTC

We do not (yet) ship PostgreSQL 9.5 and AFAICS we've never shipped PL/Java.

Comment 2 Reinhard Max 2016-02-12 09:59:09 UTC

Ah, CVE-2016-0766 is also mentioned in the release notes of PostgreSQL 9.4.6 and the other new patchlevel releases.

Comment 4 Swamp Workflow Management 2016-02-12 23:00:19 UTC

bugbot adjusting priority

Comment 6 Swamp Workflow Management 2016-02-21 10:11:13 UTC

openSUSE-SU-2016:0531-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 966435,966436
CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773
Sources used:
openSUSE Leap 42.1 (src):    postgresql-init-9.4-6.1, postgresql93-9.3.11-3.2, postgresql93-libs-9.3.11-3.2
openSUSE 13.2 (src):    postgresql93-9.3.11-2.10.1, postgresql93-libs-9.3.11-2.10.1

Comment 7 Swamp Workflow Management 2016-02-22 13:11:28 UTC

SUSE-SU-2016:0539-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 966435,966436
CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    postgresql93-libs-9.3.11-14.1
SUSE Linux Enterprise Server 12 (src):    postgresql93-9.3.11-14.2
SUSE Linux Enterprise Desktop 12 (src):    postgresql93-9.3.11-14.2

Comment 8 Swamp Workflow Management 2016-02-24 12:13:11 UTC

SUSE-SU-2016:0555-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 578053,966435,966436
CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    postgresql94-libs-9.4.6-7.1
SUSE Linux Enterprise Software Development Kit 12 (src):    postgresql94-libs-9.4.6-7.1
SUSE Linux Enterprise Server 12-SP1 (src):    postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1
SUSE Linux Enterprise Server 12 (src):    postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1
SUSE Linux Enterprise Desktop 12 (src):    postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1

Comment 9 Swamp Workflow Management 2016-02-25 13:12:12 UTC

openSUSE-SU-2016:0578-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 578053,966435,966436
CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773
Sources used:
openSUSE Leap 42.1 (src):    postgresql94-9.4.6-4.1, postgresql94-libs-9.4.6-4.1

Comment 10 Bernhard Wiedemann 2016-03-07 15:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (966435) was mentioned in
https://build.opensuse.org/request/show/367653 Factory / postgresql93

Comment 11 Swamp Workflow Management 2016-03-07 17:13:16 UTC

SUSE-SU-2016:0677-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 949669,949670,966435,966436
CVE References: CVE-2007-4772,CVE-2015-5288,CVE-2015-5289,CVE-2016-0766,CVE-2016-0773
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3

Comment 12 Bernhard Wiedemann 2016-03-08 10:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (966435) was mentioned in
https://build.opensuse.org/request/show/368148 Factory / postgresql94

Comment 13 Marcus Meissner 2016-03-16 17:03:32 UTC

updates were released