Hi,
following up to -advocacy.
Am Donnerstag, den 08.11.2018, 08:38 -0500 schrieb Jonathan S. Katz:
> The PostgreSQL Global Development Group has released an update to all
> supported versions of our database system, including 11.1, 10.6, 9.6.11,
> 9.5.15, 9.4.20, and 9.3.25. This release fixes one security issue as
> well as bugs reported over the last three months.
[...]
> Security Issues
> ---------------
>
> One security vulnerability has been closed by this release:
>
> * CVE-2018-16850: SQL injection in `pg_upgrade` and `pg_dump`, via
> `CREATE TRIGGER ... REFERENCING`.
>
> Using a purpose-crafted trigger definition, an attacker can run
> arbitrary SQL statements with superuser privileges when a superuser runs
> `pg_upgrade` on the database or during a pg_dump dump/restore cycle.
> This attack requires a `CREATE` privilege on some non-temporary schema
> or a `TRIGGER` privilege on a table. This is exploitable in the default
> PostgreSQL configuration, where all users have `CREATE` privilege on
> `public` schema.
AIUI, this security issue only affects v10 and v11, but this is not
clear from the announcement AFAICT, unless I missed it?
I think it would be good to mention the exact versions that are affected
by a CVE in the announcement; of course it is always possible to inspect
the individual release notes, but having the information up front would
be nice (again, unless I am missing something).
Michael
--
Michael Banck
Projektleiter / Senior Berater
Tel.: +49 2166 9901-171
Fax: +49 2166 9901-100
Email: michael.banck@credativ.de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz