PostgreSQL: SQL injection

2018-11-30T00:00:00
ID GLSA-201811-24
Type gentoo
Reporter Gentoo Foundation
Modified 2018-11-30T00:00:00

Description

Background

PostgreSQL is an open source object-relational database management system.

Description

A vulnerability was discovered in PostgreSQL’s pg_upgrade and pg_dump.

Impact

An attacker, by enticing a user to process a specially crafted trigger definition, can execute arbitrary SQL statements with superuser privileges.

Workaround

There is no known workaround at this time.

Resolution

All PostgreSQL 9.3.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.25"

All PostgreSQL 9.4.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.20"

All PostgreSQL 9.5.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.15"

All PostgreSQL 9.6.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.11"

All PostgreSQL 10.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.6"

All PostgreSQL 11.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.1"