Mageia 2019-0225: postgresql security update

    Date18 Aug 2019
    CategoryMageia
    847
    Posted ByLinuxSecurity Advisories
    Updated postgresql packages fix security vulnerabilities: Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function
    MGASA-2019-0225 - Updated postgresql packages fix security vulnerabilities
    
    Publication date: 18 Aug 2019
    URL: https://advisories.mageia.org/MGASA-2019-0225.html
    Type: security
    Affected Mageia releases: 6, 7
    CVE: CVE-2019-10208,
         CVE-2019-10209
    
    Updated postgresql packages fix security vulnerabilities:
    
    Given a suitable SECURITY DEFINER function, an attacker can execute
    arbitrary SQL under the identity of the function owner. An attack requires
    EXECUTE permission on the function, which must itself contain a function
    call having inexact argument type match. For example, length('foo'::varchar)
    and length('foo') are inexact, while length('foo'::text) is exact
    (CVE-2019-10208).
    
    In a database containing hypothetical, user-defined hash equality operators,
    an attacker could read arbitrary bytes of server memory. For an attack to
    become possible, a superuser would need to create unusual operators. It is
    possible for operators not purpose-crafted for attack to have the properties
    that enable an attack, but we are not aware of specific examples
    (CVE-2019-10209).
    
    This update also fixes over 40 bugs that were reported in the last several
    months.  See the upstream release notes for details.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=25260
    - https://www.postgresql.org/docs/9.4/release-9-4-24.html
    - https://www.postgresql.org/docs/9.6/release-9-6-15.html
    - https://www.postgresql.org/docs/11/release-11-5.html
    - https://www.postgresql.org/about/news/1960/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10209
    
    SRPMS:
    - 7/core/postgresql9.6-9.6.15-1.mga7
    - 7/core/postgresql11-11.5-1.mga7
    - 6/core/postgresql9.4-9.4.24-1.mga6
    - 6/core/postgresql9.6-9.6.15-1.mga6
    

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":54.17,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16.67,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"7","type":"x","order":"3","pct":29.17,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.