CVE-2017-8806

Publication date 9 November 2017

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.

Read the notes from the security team

Status

Package Ubuntu Release Status
postgresql-common 17.10 artful
Fixed 184ubuntu1.1
17.04 zesty
Fixed 179ubuntu0.1
16.04 LTS xenial
Fixed 173ubuntu0.1
14.04 LTS trusty
Fixed 154ubuntu1.1

Notes


mdeslaur

PostgreSQL will use CVE-2017-12172 for contrib/start-scripts This is related to CVE-2016-1255

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
postgresql-common

Severity score breakdown

Parameter Value
Base score 5.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-3476-2
    • postgresql-common vulnerabilities
    • 27 November 2017
    • USN-3476-1
    • postgresql-common vulnerabilities
    • 9 November 2017

Other references