Link Following Affecting postgresql-common package, versions <154ubuntu1.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UBUNTU1404-POSTGRESQLCOMMON-271529
- published5 Dec 2017
- disclosed5 Dec 2017
Introduced: 5 Dec 2017
CVE-2016-1255 (opens in a new tab)How to fix?
Upgrade Ubuntu:14.04 postgresql-common to version 154ubuntu1.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream postgresql-common package and not the postgresql-common package as distributed by Ubuntu.
See How to fix? for Ubuntu:14.04 relevant fixed versions and status.
The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable before 178, in Ubuntu 12.04 LTS before 129ubuntu1.2, in Ubuntu 14.04 LTS before 154ubuntu1.1, in Ubuntu 16.04 LTS before 173ubuntu0.1, in Ubuntu 17.04 before 179ubuntu0.1, and in Ubuntu 17.10 before 184ubuntu1.1 allows local users to gain root privileges via a symlink attack on a logfile in /var/log/postgresql.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1255
- https://lists.debian.org/debian-lts-announce/2017/01/msg00002.html
- https://security-tracker.debian.org/tracker/CVE-2016-1255
- https://anonscm.debian.org/cgit/pkg-postgresql/postgresql-common.git/commit/?id=c8989206ec360f199400c74f129f7b4cb878c1ee
- http://www.ubuntu.com/usn/USN-3476-1
- http://www.ubuntu.com/usn/USN-3476-2