製品・ソフトウェアに関する情報

JVN脆弱性詳細

PostgreSQL における脆弱性

Title	PostgreSQL における脆弱性
Summary	PostgreSQL は、OpenSSL を使用する場合、不十分な乱数を生成するため、不特定の影響を受ける脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、不特定の影響を受ける可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 4, 2013, midnight
Registration Date	April 5, 2013, 2:24 p.m.
Last Update	March 6, 2014, 4:30 p.m.

CVSS2.0 : 危険
Score	8.5
Vector	AV:N/AC:M/Au:S/C:C/I:C/A:C

Affected System

PostgreSQL.org

PostgreSQL 8.4.17 未満の 8.4.x

PostgreSQL 9.0.13 未満の 9.0.x

PostgreSQL 9.1.9 未満の 9.1.x

PostgreSQL 9.2.4 未満の 9.2.x

アップル

Apple Mac OS X v10.7.5

Apple Mac OS X v10.8 から v10.8.4

Apple Mac OS X Server v10.7.5

macOS Server (旧 OS X Server) v2.2.2 未満 (Apple Mac OS X v10.8 以降)

Canonical

Ubuntu 10.04 LTS

Ubuntu 11.10

Ubuntu 12.04 LTS

Ubuntu 12.10

Ubuntu 8.04 LTS

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1900	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900
National Vulnerability Database (NVD)
2	CVE-2013-1900	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1900

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2013-09-12-1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
2	APPLE-SA-2013-09-17-1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
Apple Security Updates
3	HT5880	http://support.apple.com/kb/HT5880
4	HT5892	http://support.apple.com/kb/HT5892
Apple セキュリティアップデート
5	HT5880	http://support.apple.com/kb/HT5880?viewlocale=ja_JP
6	HT5892	http://support.apple.com/kb/HT5892?viewlocale=ja_JP
Debian セキュリティ勧告
7	DSA-2657	http://www.debian.org/security/2013/dsa-2657
8	DSA-2658	http://www.debian.org/security/2013/dsa-2658
Fedora Update Notification
9	FEDORA-2013-5000	https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
10	FEDORA-2013-6148	https://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
opensuse-security-announce
11	openSUSE-SU-2013:0627	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
12	openSUSE-SU-2013:0628	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
13	openSUSE-SU-2013:0635	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
14	SUSE-SU-2013:0633	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
PostgreSQL
15	PostgreSQL 9.2.4, 9.1.9, 9.0.13 and 8.4.17 released	http://www.postgresql.org/about/news/1456/
PostgreSQL Release Notes
16	Release 8.4.17	http://www.postgresql.org/docs/current/static/release-8-4-17.html
17	Release 9.0.13	http://www.postgresql.org/docs/current/static/release-9-0-13.html
18	Release 9.1.9	http://www.postgresql.org/docs/current/static/release-9-1-9.html
19	Release 9.2.4	http://www.postgresql.org/docs/current/static/release-9-2-4.html
Red Hat Bugzilla
20	Bug 929255	https://bugzilla.redhat.com/show_bug.cgi?id=929255
Red Hat Security Advisory
21	RHSA-2013:1475	http://rhn.redhat.com/errata/RHSA-2013-1475.html
Security Advisories
22	MDVSA-2013:142	http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:142/?name=MDVSA-2013:142
Ubuntu Security Notice
23	USN-1789-1	http://www.ubuntu.com/usn/USN-1789-1

Change Log

No	Changed Details	Date of change
0	[2013年04月05日] 掲載 [2013年04月26日] ベンダ情報：Debian (DSA-2658) を追加ベンダ情報：Debian (DSA-2657) を追加ベンダ情報：Novell (openSUSE-SU-2013:0635) を追加ベンダ情報：Novell (SUSE-SU-2013:0633) を追加ベンダ情報：Novell (openSUSE-SU-2013:0628) を追加ベンダ情報：Novell (openSUSE-SU-2013:0627) を追加 [2013年10月09日] 影響を受けるシステム：アップル (HT5880) の情報を追加影響を受けるシステム：アップル (HT5892) の情報を追加ベンダ情報：アップル (HT5880) を追加ベンダ情報：アップル (HT5892) を追加ベンダ情報：アップル (APPLE-SA-2013-09-17-1) を追加ベンダ情報：アップル (APPLE-SA-2013-09-12-1) を追加 [2013年12月05日] ベンダ情報：Fedora Project (FEDORA-2013-5000) を追加ベンダ情報：Fedora Project (FEDORA-2013-6148) を追加ベンダ情報：Mandriva, Inc. (MDVSA-2013:142) を追加 [2014年03月06日] ベンダ情報：レッドハット (Bug 929255) を追加ベンダ情報：レッドハット (RHSA-2013:1475) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-1900

Summary	PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions."
Publication Date	April 5, 2013, 2:55 a.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.2.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.2.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.2.2:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.1.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.8:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.0.11:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.10:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.9:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.0:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.12:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.8:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:8.4.8:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.4:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.1:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.9:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.3:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.10:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.11:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.6:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.15:::::::*
cpe:2.3:a:postgresql:postgresql:8.4:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.12:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.14:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.5:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.7:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.2:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.16:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.13:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:::::*
cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*
cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
2	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
3	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
4	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
5	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
6	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
7	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
8	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
9	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
10	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
11	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
12	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
13	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
14	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
15	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
16	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
17	http://rhn.redhat.com/errata/RHSA-2013-1475.html
18	http://rhn.redhat.com/errata/RHSA-2013-1475.html
19	http://support.apple.com/kb/HT5880
20	http://support.apple.com/kb/HT5880
21	http://support.apple.com/kb/HT5892
22	http://support.apple.com/kb/HT5892
23	http://www.debian.org/security/2013/dsa-2657
24	http://www.debian.org/security/2013/dsa-2657
25	http://www.debian.org/security/2013/dsa-2658
26	http://www.debian.org/security/2013/dsa-2658
27	http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
28	http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
29	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
30	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
31	http://www.postgresql.org/about/news/1456/	Vendor Advisory
32	http://www.postgresql.org/about/news/1456/	Vendor Advisory
33	http://www.postgresql.org/docs/current/static/release-8-4-17.html
34	http://www.postgresql.org/docs/current/static/release-8-4-17.html
35	http://www.postgresql.org/docs/current/static/release-9-0-13.html
36	http://www.postgresql.org/docs/current/static/release-9-0-13.html
37	http://www.postgresql.org/docs/current/static/release-9-1-9.html
38	http://www.postgresql.org/docs/current/static/release-9-1-9.html
39	http://www.postgresql.org/docs/current/static/release-9-2-4.html
40	http://www.postgresql.org/docs/current/static/release-9-2-4.html
41	http://www.ubuntu.com/usn/USN-1789-1
42	http://www.ubuntu.com/usn/USN-1789-1

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.1.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.8:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.0.11:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.10:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.9:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.0:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.12:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.8:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:8.4.8:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.4:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.1:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.9:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.3:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.10:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.11:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.6:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.15:::::::*
cpe:2.3:a:postgresql:postgresql:8.4:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.12:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.14:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.5:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.7:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.2:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.16:::::::*
cpe:2.3:a:postgresql:postgresql:8.4.13:::::::*