Mageia: 2019-0189 Moderate: PostgreSQL Security Issues Fix
mageia
June 10, 2019
Updated postgresql packages fix security vulnerabilities CVE-2019-10129: Memory disclosure in partition routing Prior to this release, a user running PostgreSQL 11 can read arbitr...
Summary
Updated postgresql packages fix security vulnerabilities
CVE-2019-10129: Memory disclosure in partition routing
Prior to this release, a user running PostgreSQL 11 can read arbitrary
bytes of server memory by executing a purpose-crafted INSERT statement
to a partitioned table.
CVE-2019-10130: Selectivity estimators bypass row security policies
PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process. Prior
to this release, a user able to execute SQL queries with permissions to
read a given column could craft a leaky operator that could read whatever
data had been sampled from that column. If this happened to include values
from rows that the user is forbidden to see by a row security policy, the
user could effectively bypass the policy. This is fixed by only allowing
a non-leakproof operator to use this data if there are no relevant row
security policies for the table.
References
- https://bugs.mageia.org/show_bug.cgi?id=24798
- https://www.cve.org/CVERecord?id=CVE-2019-10129
- https://www.cve.org/CVERecord?id=CVE-2019-10130
Topics Covered
Resolution
SRPMS
- 6/core/postgresql9.4-9.4.22-1.mga6
- 6/core/postgresql9.6-9.6.13-3.mga6
PREVIOUS
NEXT
Publication date: 10 Jun 2019
URL: https://advisories.mageia.org/MGASA-2019-0189.html
Type: security
CVE: CVE-2019-10129,
CVE-2019-10130
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!