From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Huong Dangminh <huo-dangminh(at)ys(dot)jp(dot)nec(dot)com> |
Cc: | Stephen Frost <sfrost(at)postgresql(dot)org>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org>, Akio Iwaasa <aki-iwaasa(at)vt(dot)jp(dot)nec(dot)com> |
Subject: | Re: PostgreSQL 2018-05-10 Security Update Release |
Date: | 2018-05-25 08:16:20 |
Message-ID: | CABUevEwMAR9019bJiZxq4o6VtEMzzmtwfJbX=FBOCWjrnh2Neg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-announce pgsql-bugs |
On Fri, May 25, 2018 at 4:00 AM, Huong Dangminh <huo-dangminh(at)ys(dot)jp(dot)nec(dot)com>
wrote:
> Hi,
>
> > -----Original Message-----
> > From: Stephen Frost [mailto:sfrost(at)postgresql(dot)org]
> > Sent: Thursday, May 10, 2018 10:37 PM
> > To: pgsql-announce(at)lists(dot)postgresql(dot)org
> > Subject: PostgreSQL 2018-05-10 Security Update Release
> >
> > Security Issues
> > ---------------
> >
> > One security vulnerability has been closed by this release:
> >
> > * CVE-2018-1115: Too-permissive access control list on function
> > pg_logfile_rotate()
> >
> > * Security Page: https://www.postgresql.org/support/security/
>
> Thanks for the announcement.
> I think "Component & CVSS v3 Base Score" column for "CVE-2018-1115" was
> wrong.
> The Base Score appears 0.0 but it should be 4.2.
>
> So link to "nist" should be update as below?
> - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?
> vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N
> + https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?
> vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
>
> And the Base Metrics also need to change like?
> - AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N
> + AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
>
> Or am I missing something?
>
It seems RedHat have changed the CVSS vector from the one that we submitted
to them. The PostgreSQL Security Team assigned the score and vector as is
listed on the PostgreSQL website, so that is the correct one as standing.
I have pinged the RedHat team to see if they did this intentionally,or if
it was a mistake.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
From | Date | Subject | |
---|---|---|---|
Next Message | David Fetter | 2018-05-27 19:05:17 | == PostgreSQL Weekly News - May 27 2018 == |
Previous Message | Huong Dangminh | 2018-05-25 02:00:04 | RE: PostgreSQL 2018-05-10 Security Update Release |
From | Date | Subject | |
---|---|---|---|
Next Message | PG Bug reporting form | 2018-05-25 16:17:18 | BUG #15208: COALESCE with CTE returns NULL |
Previous Message | Huong Dangminh | 2018-05-25 02:00:04 | RE: PostgreSQL 2018-05-10 Security Update Release |