A SQL injection in PostgreSQL may allow attackers to execute arbitrary SQL statements.
Package | dev-db/postgresql on all architectures |
---|---|
Affected versions | < 9.3.25 < 9.4.20 < 9.5.15 < 9.6.11 < 10.6 < 11.1 |
Unaffected versions | >= 9.3.25 >= 9.4.20 >= 9.5.15 >= 9.6.11 >= 10.6 >= 11.1 |
PostgreSQL is an open source object-relational database management system.
A vulnerability was discovered in PostgreSQL’s pg_upgrade and pg_dump.
An attacker, by enticing a user to process a specially crafted trigger definition, can execute arbitrary SQL statements with superuser privileges.
There is no known workaround at this time.
All PostgreSQL 9.3.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.25"
All PostgreSQL 9.4.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.20"
All PostgreSQL 9.5.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.15"
All PostgreSQL 9.6.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.11"
All PostgreSQL 10.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.6"
All PostgreSQL 11.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.1"
Release date
November 30, 2018
Latest revision
December 03, 2018: 2
Severity
normal
Exploitable
remote
Bugzilla entries