PostgreSQL: Multiple vulnerabilities

Background

PostgreSQL is an open source object-relational database management system.

Description

Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details.

In addition it was discovered that Gentoo’s PostgreSQL installation suffered from a privilege escalation vulnerability due to a runscript which called OpenRC’s checkpath() on a user controlled path and allowed user running PostgreSQL to kill arbitrary processes via PID file manipulation.

Impact

A remote attacker could bypass certain client-side connection security features, read arbitrary server memory or alter certain data.

In addition, a local attacker could gain privileges or cause a Denial of Service condition by killing arbitrary processes.

Workaround

There is no known workaround at this time.

Resolution

All PostgreSQL users up to 9.3 should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3"

All PostgreSQL 9.4 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4"

All PostgreSQL 9.5 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5"

All PostgreSQL 9.6 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6"

All PostgreSQL 10 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10"