Mageia 6: 2018-0446 Moderate: PostgreSQL Code Execution Threat

mageia

November 15, 2018

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users

Summary

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database (CVE-2018-1058).
Postgresql 9.6.x before 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation (CVE-2018-1115).
Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects (CVE-2018-10915).
It was discovered that some "CREATE TABLE" statements could disclose server memory (CVE-2018-10925).
Fully fixing these security issues requires manual intervention. See the upstream advisories for details.

References

- https://bugs.mageia.org/show_bug.cgi?id=22687

- https://www.postgresql.org/docs/9.4/release-9-4-17.html

- https://www.postgresql.org/docs/9.4/release-9-4-18.html

- https://www.postgresql.org/docs/9.4/release-9-4-19.html

- https://www.postgresql.org/docs/9.6/release-9-6-8.html

- https://www.postgresql.org/docs/9.6/release-9-6-9.html

- https://www.postgresql.org/docs/9.6/release-9-6-10.html

- https://www.postgresql.org/about/news/postgresql-103-968-9512-9417-and-9322-released-1834/

- https://www.postgresql.org/about/news/postgresql-104-969-9513-9418-and-9323-released-1851/

- https://www.postgresql.org/about/news/postgresql-105-9610-9514-9419-9324-and-11-beta-3-released-1878/

- https://lists.debian.org/debian-security-announce/2018/msg00198.html

- https://www.cve.org/CVERecord?id=CVE-2018-1058

- https://www.cve.org/CVERecord?id=CVE-2018-1115

- https://www.cve.org/CVERecord?id=CVE-2018-10915

- https://www.cve.org/CVERecord?id=CVE-2018-10925

Topics Covered

security advisory moderate code execution database postgresql Mageia

Resolution

SRPMS

- 6/core/postgresql9.4-9.4.19-1.mga6

- 6/core/postgresql9.6-9.6.10-3.mga6

Severity

important

Lowest

Low

Medium

High

Critical

Publication date: 15 Nov 2018

URL: https://advisories.mageia.org/MGASA-2018-0446.html

Type: security

CVE: CVE-2018-1058, CVE-2018-1115, CVE-2018-10915, CVE-2018-10925

Topics Covered

security advisory moderate code execution database postgresql Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia 6: 2018-0446 Moderate: PostgreSQL Code Execution Threat

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia 6: 2018-0446 Moderate: PostgreSQL Code Execution Threat

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!