PublicDateAtUSN: 2012-08-17
Candidate: CVE-2012-3488
CRD: 2012-08-17
PublicDate: 2012-10-03 21:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488
 http://www.postgresql.org/about/news/1407/
 https://ubuntu.com/security/notices/USN-1542-1
Description:
 The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4
 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly
 restrict access to files and URLs, which allows remote authenticated users
 to modify data, obtain sensitive information, or trigger outbound traffic
 to arbitrary external hosts by leveraging (1) stylesheet commands that are
 permitted by the libxslt security options or (2) an xslt_process feature,
 related to an XML External Entity (aka XXE) issue.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Peter Eisentraut
Assigned-to: jdstrand
CVSS: 

Patches_postgresql-9.1:
upstream_postgresql-9.1: released (9.1.5-1)
hardy_postgresql-9.1: DNE
lucid_postgresql-9.1: DNE
natty_postgresql-9.1: DNE
oneiric_postgresql-9.1: released (9.1.5-0ubuntu11.10)
precise_postgresql-9.1: released (9.1.5-0ubuntu12.04)
quantal_postgresql-9.1: not-affected (9.1.5-1)
raring_postgresql-9.1: not-affected (9.1.5-1)
saucy_postgresql-9.1: not-affected (9.1.5-1)
trusty_postgresql-9.1: not-affected (9.1.5-1)
trusty/esm_postgresql-9.1: DNE (trusty was not-affected [9.1.5-1])
utopic_postgresql-9.1: DNE
devel_postgresql-9.1: DNE

Patches_postgresql-8.4:
upstream_postgresql-8.4: needs-triage
hardy_postgresql-8.4: DNE
lucid_postgresql-8.4: released (8.4.13-0ubuntu10.04)
natty_postgresql-8.4: released (8.4.13-0ubuntu11.04)
oneiric_postgresql-8.4: ignored (reached end-of-life)
precise_postgresql-8.4: released (8.4.22-0ubuntu0.12.04)
quantal_postgresql-8.4: DNE
raring_postgresql-8.4: DNE
saucy_postgresql-8.4: DNE
trusty_postgresql-8.4: DNE
trusty/esm_postgresql-8.4: DNE
utopic_postgresql-8.4: DNE
devel_postgresql-8.4: DNE

Patches_postgresql-8.3:
upstream_postgresql-8.3: needs-triage
hardy_postgresql-8.3: released (8.3.20-0ubuntu8.04)
lucid_postgresql-8.3: DNE
natty_postgresql-8.3: DNE
oneiric_postgresql-8.3: DNE
precise_postgresql-8.3: DNE
quantal_postgresql-8.3: DNE
raring_postgresql-8.3: DNE
saucy_postgresql-8.3: DNE
trusty_postgresql-8.3: DNE
trusty/esm_postgresql-8.3: DNE
utopic_postgresql-8.3: DNE
devel_postgresql-8.3: DNE

Patches_postgresql-8.2:
upstream_postgresql-8.2: needs-triage
hardy_postgresql-8.2: ignored (reached end-of-life)
lucid_postgresql-8.2: DNE
natty_postgresql-8.2: DNE
oneiric_postgresql-8.2: DNE
precise_postgresql-8.2: DNE
quantal_postgresql-8.2: DNE
raring_postgresql-8.2: DNE
saucy_postgresql-8.2: DNE
trusty_postgresql-8.2: DNE
trusty/esm_postgresql-8.2: DNE
utopic_postgresql-8.2: DNE
devel_postgresql-8.2: DNE