logo
DATABASE RESOURCES PRICING ABOUT US

Updated postgresql9.4|6 packages fix security vulnerabilities

Description

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database (CVE-2018-1058). Postgresql 9.6.x before 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation (CVE-2018-1115). Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects (CVE-2018-10915). It was discovered that some "CREATE TABLE" statements could disclose server memory (CVE-2018-10925). Fully fixing these security issues requires manual intervention. See the upstream advisories for details.


Affected Package


OS OS Version Package Name Package Version
Mageia 6 postgresql9.4 9.4.19-1
Mageia 6 postgresql9.6 9.6.10-3

Related