logo
DATABASE RESOURCES PRICING ABOUT US

PostgreSQL: Multiple vulnerabilities

Description

### Background PostgreSQL is an open source object-relational database management system. ### Description Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. In addition it was discovered that Gentoo’s PostgreSQL installation suffered from a privilege escalation vulnerability due to a runscript which called OpenRC’s checkpath() on a user controlled path and allowed user running PostgreSQL to kill arbitrary processes via PID file manipulation. ### Impact A remote attacker could bypass certain client-side connection security features, read arbitrary server memory or alter certain data. In addition, a local attacker could gain privileges or cause a Denial of Service condition by killing arbitrary processes. ### Workaround There is no known workaround at this time. ### Resolution All PostgreSQL users up to 9.3 should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3" All PostgreSQL 9.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4" All PostgreSQL 9.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5" All PostgreSQL 9.6 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6" All PostgreSQL 10 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10"


Affected Package


OS OS Version Package Name Package Version
Gentoo any dev-db/postgresql 10.5

Related