CVE-2013-1901 Information

Description

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions.

Reference

http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html http://support.apple.com/kb/HT5880 http://support.apple.com/kb/HT5892 http://www.debian.org/security/2013/dsa-2658 http://www.mandriva.com/security/advisories?name=MDVSA-2013:142 http://www.postgresql.org/about/news/1456/ http://www.postgresql.org/docs/current/static/release-9-1-9.html http://www.postgresql.org/docs/current/static/release-9-2-4.html http://www.ubuntu.com/usn/USN-1789-1