GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Oct 31, 2018 12:26 am Post subject: [ GLSA 201810-08 ] PostgreSQL |
|
|
Gentoo Linux Security Advisory
Title: PostgreSQL: Multiple vulnerabilities (GLSA 201810-08)
Severity: high
Exploitable: local, remote
Date: 2018-10-30
Bug(s): #603716, #603720, #664332
ID: 201810-08
Synopsis
Multiple vulnerabilities have been found in PostgreSQL, the worst
which could lead to privilege escalation.
Background
PostgreSQL is an open source object-relational database management
system.
Affected Packages
Package: dev-db/postgresql
Vulnerable: < 10.5
Unaffected: >= 9.3.24
Unaffected: >= 9.4.19
Unaffected: >= 9.5.14
Unaffected: >= 9.6.10
Unaffected: >= 10.5
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the referenced CVE identifiers for details.
In addition it was discovered that Gentoo’s PostgreSQL installation
suffered from a privilege escalation vulnerability due to a runscript
which called OpenRC’s checkpath() on a user controlled path and allowed
user running PostgreSQL to kill arbitrary processes via PID file
manipulation.
Impact
A remote attacker could bypass certain client-side connection security
features, read arbitrary server memory or alter certain data.
In addition, a local attacker could gain privileges or cause a Denial of
Service condition by killing arbitrary processes.
Workaround
There is no known workaround at this time.
Resolution
All PostgreSQL users up to 9.3 should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3"
| All PostgreSQL 9.4 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4"
| All PostgreSQL 9.5 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5"
| All PostgreSQL 9.6 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6"
| All PostgreSQL 10 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10"
|
References
CVE-2018-10915
CVE-2018-10925
CVE-2018-1115 |
|