MGASA-2018-0446

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2018-0446.html

Import Source

https://advisories.mageia.org/MGASA-2018-0446.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2018-0446

Related

Published

2018-11-15T22:04:32Z

Modified

2018-11-15T21:36:30Z

Summary

Updated postgresql9.4|6 packages fix security vulnerabilities

Details

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database (CVE-2018-1058).

Postgresql 9.6.x before 9.6.9 is vulnerable in the adminpack extension, the pgcatalog.pglogfilerotate() function doesn't follow the same ACLs than pgrorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation (CVE-2018-1115).

Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects (CVE-2018-10915).

It was discovered that some "CREATE TABLE" statements could disclose server memory (CVE-2018-10925).

Fully fixing these security issues requires manual intervention. See the upstream advisories for details.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / postgresql9.4

Package

Name: postgresql9.4
Purl: pkg:rpm/mageia/postgresql9.4?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.19-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / postgresql9.6

Package

Name: postgresql9.6
Purl: pkg:rpm/mageia/postgresql9.6?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.6.10-3.mga6

Ecosystem specific

{
    "section": "core"
}