CVE-2007-2138 (Medium) :
Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x
before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users,
when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner,
related to "search_path settings."
CVE-2007-4769 (Medium) :
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1
before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to
cause a denial of service (backend crash) via an out-of-bounds backref number.
CVE-2007-4772 (Medium) :
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1
before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to
cause a denial of service (infinite loop) via a crafted regular expression.
CVE-2007-6067 (Medium) :
Algorithmic complexity vulnerability in the regular expression parser in TCL before 8.4.17, as
used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19,
allows remote authenticated users to cause a denial of service (memory consumption) via a
crafted "complex" regular expression with doubly-nested states.
CVE-2007-6600 (Medium) :
PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3
before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2)
ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION
AUTHORIZATION within index functions, which allows remote authenticated users to gain
privileges.
CVE-2007-6601 (High) :
The DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4
before 7.4.19, and 7.3 before 7.3.21, when local trust or ident authentication is used, allows
remote attackers to gain privileges via unspecified vectors. NOTE: this issue exists because of
an incomplete fix for CVE-2007-3278.