Updated postgresql9.4|6 packages fix security vulnerabilities

2018-11-1601:04:32

Gentoo Foundation

advisories.mageia.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.4%

JSON

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database (CVE-2018-1058). Postgresql 9.6.x before 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn’t follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation (CVE-2018-1115). Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects (CVE-2018-10915). It was discovered that some “CREATE TABLE” statements could disclose server memory (CVE-2018-10925). Fully fixing these security issues requires manual intervention. See the upstream advisories for details.

OSVersionArchitecturePackageVersionFilename
Mageia6noarchpostgresql9.4< 9.4.19-1postgresql9.4-9.4.19-1.mga6
Mageia6noarchpostgresql9.6< 9.6.10-3postgresql9.6-9.6.10-3.mga6