PostgreSQL: Multiple vulnerabilities — GLSA 201810-08

Multiple vulnerabilities have been found in PostgreSQL, the worst which could lead to privilege escalation.

Affected Packages

dev-db/postgresql on all architectures
Affected versions < 10.5
Unaffected versions >= 9.3.24
>= 9.4.19
>= 9.5.14
>= 9.6.10
>= 10.5

Background

PostgreSQL is an open source object-relational database management system.

Description

Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details.

In addition it was discovered that Gentoo’s PostgreSQL installation suffered from a privilege escalation vulnerability due to a runscript which called OpenRC’s checkpath() on a user controlled path and allowed user running PostgreSQL to kill arbitrary processes via PID file manipulation.

Impact

A remote attacker could bypass certain client-side connection security features, read arbitrary server memory or alter certain data.

In addition, a local attacker could gain privileges or cause a Denial of Service condition by killing arbitrary processes.

Workaround

There is no known workaround at this time.

Resolution

All PostgreSQL users up to 9.3 should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3"
 

All PostgreSQL 9.4 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4"
 

All PostgreSQL 9.5 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5"
 

All PostgreSQL 9.6 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6"
 

All PostgreSQL 10 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10"
 

References

Release Date
October 30, 2018

Latest Revision
October 30, 2018: 1

Severity
high

Exploitable
local, remote

Bugzilla entries