Mageia 2019-0189: postgresql security update

    Date10 Jun 2019
    CategoryMageia
    644
    Posted ByLinuxSecurity Advisories
    Updated postgresql packages fix security vulnerabilities CVE-2019-10129: Memory disclosure in partition routing Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes of server memory by executing a purpose-crafted INSERT statement
    MGASA-2019-0189 - Updated postgresql packages fix security vulnerabilities
    
    Publication date: 10 Jun 2019
    URL: https://advisories.mageia.org/MGASA-2019-0189.html
    Type: security
    Affected Mageia releases: 6
    CVE: CVE-2019-10129,
         CVE-2019-10130
    
    Updated postgresql packages fix security vulnerabilities
    
    CVE-2019-10129: Memory disclosure in partition routing
    Prior to this release, a user running PostgreSQL 11 can read arbitrary
    bytes of server memory by executing a purpose-crafted INSERT statement
    to a partitioned table.
    
    CVE-2019-10130: Selectivity estimators bypass row security policies
    PostgreSQL maintains statistics for tables by sampling data available in
    columns; this data is consulted during the query planning process. Prior
    to this release, a user able to execute SQL queries with permissions to
    read a given column could craft a leaky operator that could read whatever
    data had been sampled from that column. If this happened to include values
    from rows that the user is forbidden to see by a row security policy, the
    user could effectively bypass the policy. This is fixed by only allowing
    a non-leakproof operator to use this data if there are no relevant row
    security policies for the table.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=24798
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10129
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10130
    
    SRPMS:
    - 6/core/postgresql9.4-9.4.22-1.mga6
    - 6/core/postgresql9.6-9.6.13-3.mga6
    

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"15","type":"x","order":"1","pct":53.57,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"9","type":"x","order":"3","pct":32.14,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.