[gentoo-announce] [ GLSA 201811-24 ] PostgreSQL: SQL injection - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201811-24 ] PostgreSQL: SQL injection
Date:	Fri, 30 Nov 2018 09:00:09
Message-Id:	`20181130085646.GB30012@monkey`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201811-24

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: PostgreSQL: SQL injection

9

     Date: November 30, 2018

10

     Bugs: #670724

11

       ID: 201811-24

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A SQL injection in PostgreSQL may allow attackers to execute arbitrary

19

SQL statements.

20

21

Background

22

==========

23

24

PostgreSQL is an open source object-relational database management

25

system.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-db/postgresql           *< 9.3.25                 *>= 9.3.25 

34

                                 *< 9.4.20                 *>= 9.4.20 

35

                                 *< 9.5.15                 *>= 9.5.15 

36

                                 *< 9.6.11                 *>= 9.6.11 

37

                                  *< 10.6                    *>= 10.6 

38

                                   < 11.1                     >= 11.1 

39

40

Description

41

===========

42

43

A vulnerability was discovered in PostgreSQL's pg_upgrade and pg_dump.

44

45

Impact

46

======

47

48

An attacker, by enticing a user to process a specially crafted trigger

49

definition, can execute arbitrary SQL statements with superuser

50

privileges.

51

52

Workaround

53

==========

54

55

There is no known workaround at this time.

56

57

Resolution

58

==========

59

60

All PostgreSQL 9.3.x users should upgrade to the latest version:

61

62

  # emerge --sync

63

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.25"

64

65

All PostgreSQL 9.4.x users should upgrade to the latest version:

66

67

  # emerge --sync

68

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.20"

69

70

All PostgreSQL 9.5.x users should upgrade to the latest version:

71

72

  # emerge --sync

73

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.15"

74

75

All PostgreSQL 9.6.x users should upgrade to the latest version:

76

77

  # emerge --sync

78

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.11"

79

80

All PostgreSQL 10.x users should upgrade to the latest version:

81

82

  # emerge --sync

83

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.6"

84

85

All PostgreSQL 11.x users should upgrade to the latest version:

86

87

  # emerge --sync

88

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.1"

89

90

References

91

==========

92

93

[ 1 ] CVE-2018-16850

94

      https://nvd.nist.gov/vuln/detail/CVE-2018-16850

95

96

Availability

97

============

98

99

This GLSA and any updates to it are available for viewing at

100

the Gentoo Security Website:

101

102

 https://security.gentoo.org/glsa/201811-24

103

104

Concerns?

105

=========

106

107

Security is a primary focus of Gentoo Linux and ensuring the

108

confidentiality and security of our users' machines is of utmost

109

importance to us. Any security concerns should be addressed to

110

security@g.o or alternatively, you may file a bug at

111

https://bugs.gentoo.org.

112

113

License

114

=======

115

116

Copyright 2018 Gentoo Foundation, Inc; referenced text

117

belongs to its owner(s).

118

119

The contents of this document are licensed under the

120

Creative Commons - Attribution / Share Alike license.

121

122

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201811-24
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PostgreSQL: SQL injection
9	Date: November 30, 2018
10	Bugs: #670724
11	ID: 201811-24
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A SQL injection in PostgreSQL may allow attackers to execute arbitrary
19	SQL statements.
20
21	Background
22	==========
23
24	PostgreSQL is an open source object-relational database management
25	system.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-db/postgresql < 9.3.25 >= 9.3.25
34	< 9.4.20 >= 9.4.20
35	< 9.5.15 >= 9.5.15
36	< 9.6.11 >= 9.6.11
37	< 10.6 >= 10.6
38	< 11.1 >= 11.1
39
40	Description
41	===========
42
43	A vulnerability was discovered in PostgreSQL's pg_upgrade and pg_dump.
44
45	Impact
46	======
47
48	An attacker, by enticing a user to process a specially crafted trigger
49	definition, can execute arbitrary SQL statements with superuser
50	privileges.
51
52	Workaround
53	==========
54
55	There is no known workaround at this time.
56
57	Resolution
58	==========
59
60	All PostgreSQL 9.3.x users should upgrade to the latest version:
61
62	# emerge --sync
63	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.25"
64
65	All PostgreSQL 9.4.x users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.20"
69
70	All PostgreSQL 9.5.x users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.15"
74
75	All PostgreSQL 9.6.x users should upgrade to the latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.11"
79
80	All PostgreSQL 10.x users should upgrade to the latest version:
81
82	# emerge --sync
83	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.6"
84
85	All PostgreSQL 11.x users should upgrade to the latest version:
86
87	# emerge --sync
88	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.1"
89
90	References
91	==========
92
93	[ 1 ] CVE-2018-16850
94	https://nvd.nist.gov/vuln/detail/CVE-2018-16850
95
96	Availability
97	============
98
99	This GLSA and any updates to it are available for viewing at
100	the Gentoo Security Website:
101
102	https://security.gentoo.org/glsa/201811-24
103
104	Concerns?
105	=========
106
107	Security is a primary focus of Gentoo Linux and ensuring the
108	confidentiality and security of our users' machines is of utmost
109	importance to us. Any security concerns should be addressed to
110	security@g.o or alternatively, you may file a bug at
111	https://bugs.gentoo.org.
112
113	License
114	=======
115
116	Copyright 2018 Gentoo Foundation, Inc; referenced text
117	belongs to its owner(s).
118
119	The contents of this document are licensed under the
120	Creative Commons - Attribution / Share Alike license.
121
122	https://creativecommons.org/licenses/by-sa/2.5