[gentoo-announce] [ GLSA 201810-08 ] PostgreSQL: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201810-08 ] PostgreSQL: Multiple vulnerabilities
Date:	Tue, 30 Oct 2018 21:06:42
Message-Id:	`794e8227-2340-4895-4f13-029ab38694d7@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201810-08

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: PostgreSQL: Multiple vulnerabilities

9

     Date: October 30, 2018

10

     Bugs: #603716, #603720, #664332

11

       ID: 201810-08

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in PostgreSQL, the worst which

19

could lead to privilege escalation.

20

21

Background

22

==========

23

24

PostgreSQL is an open source object-relational database management

25

system.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-db/postgresql             < 10.5               >= 9.3.24:9.3

34

                                                        >= 9.4.19:9.4

35

                                                        >= 9.5.14:9.5

36

                                                        >= 9.6.10:9.6

37

                                                           >= 10.5:10

38

39

Description

40

===========

41

42

Multiple vulnerabilities have been discovered in PostgreSQL. Please

43

review the referenced CVE identifiers for details.

44

45

In addition it was discovered that Gentoo's PostgreSQL installation

46

suffered from a privilege escalation vulnerability due to a runscript

47

which called OpenRC's checkpath() on a user controlled path and allowed

48

user running PostgreSQL to kill arbitrary processes via PID file

49

manipulation.

50

51

Impact

52

======

53

54

A remote attacker could bypass certain client-side connection security

55

features, read arbitrary server memory or alter certain data.

56

57

In addition, a local attacker could gain privileges or cause a Denial

58

of Service condition by  killing arbitrary processes.

59

60

Workaround

61

==========

62

63

There is no known workaround at this time.

64

65

Resolution

66

==========

67

68

All PostgreSQL users up to 9.3 should upgrade to the latest version:

69

70

  # emerge --sync

71

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3"

72

73

All PostgreSQL 9.4 users should upgrade to the latest version:

74

75

  # emerge --sync

76

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4"

77

78

All PostgreSQL 9.5 users should upgrade to the latest version:

79

80

  # emerge --sync

81

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5"

82

83

All PostgreSQL 9.6 users should upgrade to the latest version:

84

85

  # emerge --sync

86

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6"

87

88

All PostgreSQL 10 users should upgrade to the latest version:

89

90

  # emerge --sync

91

  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10"

92

93

References

94

==========

95

96

[ 1 ] CVE-2018-10915

97

      https://nvd.nist.gov/vuln/detail/CVE-2018-10915

98

[ 2 ] CVE-2018-10925

99

      https://nvd.nist.gov/vuln/detail/CVE-2018-10925

100

[ 3 ] CVE-2018-1115

101

      https://nvd.nist.gov/vuln/detail/CVE-2018-1115

102

103

Availability

104

============

105

106

This GLSA and any updates to it are available for viewing at

107

the Gentoo Security Website:

108

109

 https://security.gentoo.org/glsa/201810-08

110

111

Concerns?

112

=========

113

114

Security is a primary focus of Gentoo Linux and ensuring the

115

confidentiality and security of our users' machines is of utmost

116

importance to us. Any security concerns should be addressed to

117

security@g.o or alternatively, you may file a bug at

118

https://bugs.gentoo.org.

119

120

License

121

=======

122

123

Copyright 2018 Gentoo Foundation, Inc; referenced text

124

belongs to its owner(s).

125

126

The contents of this document are licensed under the

127

Creative Commons - Attribution / Share Alike license.

128

129

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201810-08
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: PostgreSQL: Multiple vulnerabilities
9	Date: October 30, 2018
10	Bugs: #603716, #603720, #664332
11	ID: 201810-08
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in PostgreSQL, the worst which
19	could lead to privilege escalation.
20
21	Background
22	==========
23
24	PostgreSQL is an open source object-relational database management
25	system.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-db/postgresql < 10.5 >= 9.3.24:9.3
34	>= 9.4.19:9.4
35	>= 9.5.14:9.5
36	>= 9.6.10:9.6
37	>= 10.5:10
38
39	Description
40	===========
41
42	Multiple vulnerabilities have been discovered in PostgreSQL. Please
43	review the referenced CVE identifiers for details.
44
45	In addition it was discovered that Gentoo's PostgreSQL installation
46	suffered from a privilege escalation vulnerability due to a runscript
47	which called OpenRC's checkpath() on a user controlled path and allowed
48	user running PostgreSQL to kill arbitrary processes via PID file
49	manipulation.
50
51	Impact
52	======
53
54	A remote attacker could bypass certain client-side connection security
55	features, read arbitrary server memory or alter certain data.
56
57	In addition, a local attacker could gain privileges or cause a Denial
58	of Service condition by killing arbitrary processes.
59
60	Workaround
61	==========
62
63	There is no known workaround at this time.
64
65	Resolution
66	==========
67
68	All PostgreSQL users up to 9.3 should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3"
72
73	All PostgreSQL 9.4 users should upgrade to the latest version:
74
75	# emerge --sync
76	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4"
77
78	All PostgreSQL 9.5 users should upgrade to the latest version:
79
80	# emerge --sync
81	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5"
82
83	All PostgreSQL 9.6 users should upgrade to the latest version:
84
85	# emerge --sync
86	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6"
87
88	All PostgreSQL 10 users should upgrade to the latest version:
89
90	# emerge --sync
91	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10"
92
93	References
94	==========
95
96	[ 1 ] CVE-2018-10915
97	https://nvd.nist.gov/vuln/detail/CVE-2018-10915
98	[ 2 ] CVE-2018-10925
99	https://nvd.nist.gov/vuln/detail/CVE-2018-10925
100	[ 3 ] CVE-2018-1115
101	https://nvd.nist.gov/vuln/detail/CVE-2018-1115
102
103	Availability
104	============
105
106	This GLSA and any updates to it are available for viewing at
107	the Gentoo Security Website:
108
109	https://security.gentoo.org/glsa/201810-08
110
111	Concerns?
112	=========
113
114	Security is a primary focus of Gentoo Linux and ensuring the
115	confidentiality and security of our users' machines is of utmost
116	importance to us. Any security concerns should be addressed to
117	security@g.o or alternatively, you may file a bug at
118	https://bugs.gentoo.org.
119
120	License
121	=======
122
123	Copyright 2018 Gentoo Foundation, Inc; referenced text
124	belongs to its owner(s).
125
126	The contents of this document are licensed under the
127	Creative Commons - Attribution / Share Alike license.
128
129	https://creativecommons.org/licenses/by-sa/2.5