From: | Michael Banck <michael(dot)banck(at)credativ(dot)de> |
---|---|
To: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, pgsql-advocacy(at)lists(dot)postgresql(dot)org |
Subject: | Re: PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 Released! |
Date: | 2018-11-09 09:45:16 |
Message-ID: | 1541756716.8363.3.camel@credativ.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-advocacy pgsql-announce |
Hi,
following up to -advocacy.
Am Donnerstag, den 08.11.2018, 08:38 -0500 schrieb Jonathan S. Katz:
> The PostgreSQL Global Development Group has released an update to all
> supported versions of our database system, including 11.1, 10.6, 9.6.11,
> 9.5.15, 9.4.20, and 9.3.25. This release fixes one security issue as
> well as bugs reported over the last three months.
[...]
> Security Issues
> ---------------
>
> One security vulnerability has been closed by this release:
>
> * CVE-2018-16850: SQL injection in `pg_upgrade` and `pg_dump`, via
> `CREATE TRIGGER ... REFERENCING`.
>
> Using a purpose-crafted trigger definition, an attacker can run
> arbitrary SQL statements with superuser privileges when a superuser runs
> `pg_upgrade` on the database or during a pg_dump dump/restore cycle.
> This attack requires a `CREATE` privilege on some non-temporary schema
> or a `TRIGGER` privilege on a table. This is exploitable in the default
> PostgreSQL configuration, where all users have `CREATE` privilege on
> `public` schema.
AIUI, this security issue only affects v10 and v11, but this is not
clear from the announcement AFAICT, unless I missed it?
I think it would be good to mention the exact versions that are affected
by a CVE in the announcement; of course it is always possible to inspect
the individual release notes, but having the information up front would
be nice (again, unless I am missing something).
Michael
--
Michael Banck
Projektleiter / Senior Berater
Tel.: +49 2166 9901-171
Fax: +49 2166 9901-100
Email: michael(dot)banck(at)credativ(dot)de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz
From | Date | Subject | |
---|---|---|---|
Next Message | Jonathan S. Katz | 2018-11-09 14:18:17 | Re: PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 Released! |
Previous Message | Jonathan S. Katz | 2018-11-08 13:38:41 | PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 Released! |
From | Date | Subject | |
---|---|---|---|
Next Message | Daniele Varrazzo | 2018-11-09 11:50:15 | Psycopg 2.7.6 released |
Previous Message | Jonathan S. Katz | 2018-11-08 13:38:41 | PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 Released! |