Re: PostgreSQL 2018-05-10 Security Update Release

On Fri, May 25, 2018 at 4:00 AM, Huong Dangminh <huo-dangminh(at)ys(dot)jp(dot)nec(dot)com>
wrote:

> Hi,
>
> > -----Original Message-----
> > From: Stephen Frost [mailto:sfrost(at)postgresql(dot)org]
> > Sent: Thursday, May 10, 2018 10:37 PM
> > To: pgsql-announce(at)lists(dot)postgresql(dot)org
> > Subject: PostgreSQL 2018-05-10 Security Update Release
> >
> > Security Issues
> > ---------------
> >
> > One security vulnerability has been closed by this release:
> >
> > * CVE-2018-1115: Too-permissive access control list on function
> > pg_logfile_rotate()
> >
> > * Security Page: https://www.postgresql.org/support/security/
>
> Thanks for the announcement.
> I think "Component & CVSS v3 Base Score" column for "CVE-2018-1115" was
> wrong.
> The Base Score appears 0.0 but it should be 4.2.
>
> So link to "nist" should be update as below?
> - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?
> vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N
> + https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?
> vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
>
> And the Base Metrics also need to change like?
> - AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N
> + AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
>
> Or am I missing something?
>

It seems RedHat have changed the CVSS vector from the one that we submitted
to them. The PostgreSQL Security Team assigned the score and vector as is
listed on the PostgreSQL website, so that is the correct one as standing.

I have pinged the RedHat team to see if they did this intentionally,or if
it was a mistake.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>