ID CVE-2018-10915
Summary A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:openstack:12.0
    cpe:2.3:a:redhat:openstack:12.0
  • Red Hat OpenStack 13.0
    cpe:2.3:a:redhat:openstack:13.0
  • cpe:2.3:a:redhat:virtualization:4.0
    cpe:2.3:a:redhat:virtualization:4.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.5
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • PostgreSQL 9.3.0
    cpe:2.3:a:postgresql:postgresql:9.3.0
  • PostgreSQL PostgreSQL 9.3.1
    cpe:2.3:a:postgresql:postgresql:9.3.1
  • PostgreSQL PostgreSQL 9.3.2
    cpe:2.3:a:postgresql:postgresql:9.3.2
  • PostgreSQL PostgreSQL 9.3.3
    cpe:2.3:a:postgresql:postgresql:9.3.3
  • PostgreSQL 9.3.4
    cpe:2.3:a:postgresql:postgresql:9.3.4
  • PostgreSQL 9.3.5
    cpe:2.3:a:postgresql:postgresql:9.3.5
  • PostgreSQL 9.3.6
    cpe:2.3:a:postgresql:postgresql:9.3.6
  • PostgreSQL 9.3.7
    cpe:2.3:a:postgresql:postgresql:9.3.7
  • PostgreSQL 9.3.8
    cpe:2.3:a:postgresql:postgresql:9.3.8
  • PostgreSQL 9.3.9
    cpe:2.3:a:postgresql:postgresql:9.3.9
  • PostgreSQL 9.3.10
    cpe:2.3:a:postgresql:postgresql:9.3.10
  • PostgreSQL 9.3.11
    cpe:2.3:a:postgresql:postgresql:9.3.11
  • PostgreSQL 9.3.12
    cpe:2.3:a:postgresql:postgresql:9.3.12
  • PostgreSQL 9.3.13
    cpe:2.3:a:postgresql:postgresql:9.3.13
  • PostgreSQL 9.3.14
    cpe:2.3:a:postgresql:postgresql:9.3.14
  • PostgreSQL 9.3.15
    cpe:2.3:a:postgresql:postgresql:9.3.15
  • PostgreSQL 9.3.16
    cpe:2.3:a:postgresql:postgresql:9.3.16
  • PostgreSQL 9.3.17
    cpe:2.3:a:postgresql:postgresql:9.3.17
  • PostgreSQL 9.3.18
    cpe:2.3:a:postgresql:postgresql:9.3.18
  • PostgreSQL 9.3.19
    cpe:2.3:a:postgresql:postgresql:9.3.19
  • PostgreSQL 9.3.20
    cpe:2.3:a:postgresql:postgresql:9.3.20
  • PostgreSQL 9.3.21
    cpe:2.3:a:postgresql:postgresql:9.3.21
  • PostgreSQL 9.3.22
    cpe:2.3:a:postgresql:postgresql:9.3.22
  • PostgreSQL 9.3.23
    cpe:2.3:a:postgresql:postgresql:9.3.23
  • PostgreSQL 9.4.0
    cpe:2.3:a:postgresql:postgresql:9.4.0
  • PostgreSQL 9.4.1
    cpe:2.3:a:postgresql:postgresql:9.4.1
  • PostgreSQL 9.4.2
    cpe:2.3:a:postgresql:postgresql:9.4.2
  • PostgreSQL 9.4.3
    cpe:2.3:a:postgresql:postgresql:9.4.3
  • PostgreSQL 9.4.4
    cpe:2.3:a:postgresql:postgresql:9.4.4
  • PostgreSQL PostgreSQL 9.4.5
    cpe:2.3:a:postgresql:postgresql:9.4.5
  • PostgreSQL 9.4.6
    cpe:2.3:a:postgresql:postgresql:9.4.6
  • PostgreSQL 9.4.7
    cpe:2.3:a:postgresql:postgresql:9.4.7
  • PostgreSQL 9.4.8
    cpe:2.3:a:postgresql:postgresql:9.4.8
  • PostgreSQL 9.4.9
    cpe:2.3:a:postgresql:postgresql:9.4.9
  • PostgreSQL 9.4.10
    cpe:2.3:a:postgresql:postgresql:9.4.10
  • PostgreSQL 9.4.11
    cpe:2.3:a:postgresql:postgresql:9.4.11
  • PostgreSQL 9.4.12
    cpe:2.3:a:postgresql:postgresql:9.4.12
  • PostgreSQL 9.4.13
    cpe:2.3:a:postgresql:postgresql:9.4.13
  • PostgreSQL 9.4.14
    cpe:2.3:a:postgresql:postgresql:9.4.14
  • PostgreSQL 9.4.15
    cpe:2.3:a:postgresql:postgresql:9.4.15
  • PostgreSQL 9.4.16
    cpe:2.3:a:postgresql:postgresql:9.4.16
  • PostgreSQL 9.4.17
    cpe:2.3:a:postgresql:postgresql:9.4.17
  • PostgreSQL 9.4.18
    cpe:2.3:a:postgresql:postgresql:9.4.18
  • PostgreSQL 9.5.0
    cpe:2.3:a:postgresql:postgresql:9.5.0
  • PostgreSQL 9.5.1
    cpe:2.3:a:postgresql:postgresql:9.5.1
  • PostgreSQL 9.5.2
    cpe:2.3:a:postgresql:postgresql:9.5.2
  • PostgreSQL 9.5.3
    cpe:2.3:a:postgresql:postgresql:9.5.3
  • PostgreSQL 9.5.4
    cpe:2.3:a:postgresql:postgresql:9.5.4
  • PostgreSQL 9.5.5
    cpe:2.3:a:postgresql:postgresql:9.5.5
  • PostgreSQL 9.5.6
    cpe:2.3:a:postgresql:postgresql:9.5.6
  • PostgreSQL 9.5.7
    cpe:2.3:a:postgresql:postgresql:9.5.7
  • PostgreSQL 9.5.8
    cpe:2.3:a:postgresql:postgresql:9.5.8
  • PostgreSQL 9.5.9
    cpe:2.3:a:postgresql:postgresql:9.5.9
  • PostgreSQL 9.5.10
    cpe:2.3:a:postgresql:postgresql:9.5.10
  • PostgreSQL 9.5.11
    cpe:2.3:a:postgresql:postgresql:9.5.11
  • PostgreSQL 9.5.12
    cpe:2.3:a:postgresql:postgresql:9.5.12
  • PostgreSQL 9.5.13
    cpe:2.3:a:postgresql:postgresql:9.5.13
  • PostgreSQL 9.6.0
    cpe:2.3:a:postgresql:postgresql:9.6.0
  • PostgreSQL 9.6.1
    cpe:2.3:a:postgresql:postgresql:9.6.1
  • PostgreSQL 9.6.2
    cpe:2.3:a:postgresql:postgresql:9.6.2
  • PostgreSQL 9.6.3
    cpe:2.3:a:postgresql:postgresql:9.6.3
  • PostgreSQL 9.6.4
    cpe:2.3:a:postgresql:postgresql:9.6.4
  • PostgreSQL 9.6.5
    cpe:2.3:a:postgresql:postgresql:9.6.5
  • PostgreSQL 9.6.6
    cpe:2.3:a:postgresql:postgresql:9.6.6
  • PostgreSQL 9.6.7
    cpe:2.3:a:postgresql:postgresql:9.6.7
  • PostgreSQL 9.6.8
    cpe:2.3:a:postgresql:postgresql:9.6.8
  • PostgreSQL 9.6.9
    cpe:2.3:a:postgresql:postgresql:9.6.9
  • PostgreSQL 10.0
    cpe:2.3:a:postgresql:postgresql:10.0
  • PostgreSQL 10.1
    cpe:2.3:a:postgresql:postgresql:10.1
  • PostgreSQL 10.2
    cpe:2.3:a:postgresql:postgresql:10.2
  • PostgreSQL 10.3
    cpe:2.3:a:postgresql:postgresql:10.3
  • PostgreSQL 10.4
    cpe:2.3:a:postgresql:postgresql:10.4
CVSS
Base: 6.0
Impact:
Exploitability:
CWE CWE-89
CAPEC
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Object Relational Mapping Injection
    An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
  • SQL Injection through SOAP Parameter Tampering
    An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
  • Expanding Control over the Operating System from the Database
    An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
  • Blind SQL Injection
    Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
nessus via4
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1117.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915)
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 119476
    published 2018-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119476
    title Amazon Linux AMI : postgresql93 / postgresql94 (ALAS-2018-1117)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3909-1.NASL
    description This update for postgresql94 to 9.4.19 fixes the following security issue : CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199). A dump/restore is not required for this update unless you use the functions query_to_xml, cursor_to_xml, cursor_to_xmlschema, query_to_xmlschema, and query_to_xml_and_xmlschema. In this case please see the first entry of https://www.postgresql.org/docs/9.4/static/release-9-4-18.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 119212
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119212
    title SUSE SLES12 Security Update : postgresql94 (SUSE-SU-2018:3909-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2643.NASL
    description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1590658, BZ#1591095, BZ#1591096, BZ#1592655, BZ# 1594636, BZ#1597534, BZ#1612683) Red Hat would like to thank the PostgreSQL project for reporting CVE-2018-10915 and Ammarit Thongthua (Deloitte Thailand Pentest team) and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting CVE-2018-1067. Upstream acknowledges Andrew Krasichkov as the original reporter of CVE-2018-10915. Security fixes : * vulnerability: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862) * vulnerability: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039) * vulnerability: postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) * vulnerability: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of ) (CVE-2018-1067, CVE-2016-4993) * vulnerability: undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114) * vulnerability: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * vulnerability: bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 117324
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117324
    title RHEL 7 : Virtualization (RHSA-2018:2643)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1464.NASL
    description An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. For Debian 8 'Jessie', this problem has been fixed in version 9.4.19-0+deb8u1. We recommend that you upgrade your postgresql-9.4 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-10-10
    plugin id 111762
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111762
    title Debian DLA-1464-1 : postgresql-9.4 security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-955.NASL
    description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed (bsc#1091610). - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202). This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 112269
    published 2018-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112269
    title openSUSE Security Update : postgresql10 (openSUSE-2018-955)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180823_POSTGRESQL_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: postgresql (9.2.24). Security Fix(es) : - postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 112105
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112105
    title Scientific Linux Security Update : postgresql on SL7.x x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1119.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915) It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could exploit this to update other columns in the same table.(CVE-2018-10925) It was found that pg_catalog.pg_logfile_rotate(), from the adminpack extension, did not follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could use this flaw to force log rotation.(CVE-2018-1115 )
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 119478
    published 2018-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119478
    title Amazon Linux AMI : postgresql96 (ALAS-2018-1119)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0087.NASL
    description An update of 'krb5', 'postgresql' packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 112220
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112220
    title Photon OS 2.0: Krb5 / Postgresql PHSA-2018-2.0-0087 (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1482.NASL
    description This update for postgresql94 to 9.4.19 fixes the following security issue : - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199). A dump/restore is not required for this update unless you use the functions query_to_xml, cursor_to_xml, cursor_to_xmlschema, query_to_xmlschema, and query_to_xml_and_xmlschema. In this case please see the first entry of https://www.postgresql.org/docs/9.4/static/release-9-4-18.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 119490
    published 2018-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119490
    title openSUSE Security Update : postgresql94 (openSUSE-2018-1482)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-2557.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.24). (BZ#1612667) Security Fix(es) : * postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andrew Krasichkov as the original reporter.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 112163
    published 2018-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112163
    title CentOS 7 : postgresql (CESA-2018:2557)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-2557.NASL
    description From Red Hat Security Advisory 2018:2557 : An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.24). (BZ#1612667) Security Fix(es) : * postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andrew Krasichkov as the original reporter.
    last seen 2019-02-21
    modified 2018-10-10
    plugin id 112103
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112103
    title Oracle Linux 7 : postgresql (ELSA-2018-2557)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0178.NASL
    description An update of 'python2', 'strongswan', 'python3', 'postgresql' packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 112221
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112221
    title Photon OS 1.0: Postgresql / Python2 / Python3 / Strongswan PHSA-2018-1.0-0178 (deprecated)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1312.NASL
    description According to the version of the postgresql packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 117755
    published 2018-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117755
    title EulerOS 2.0 SP3 : postgresql (EulerOS-SA-2018-1312)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2557.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.24). (BZ#1612667) Security Fix(es) : * postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andrew Krasichkov as the original reporter.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 112104
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112104
    title RHEL 7 : postgresql (RHSA-2018:2557)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1080.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915)
    last seen 2019-02-21
    modified 2018-10-10
    plugin id 117709
    published 2018-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117709
    title Amazon Linux 2 : postgresql (ALAS-2018-1080)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1311.NASL
    description According to the version of the postgresql packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 117754
    published 2018-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117754
    title EulerOS 2.0 SP2 : postgresql (EulerOS-SA-2018-1311)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3287-1.NASL
    description This update for postgresql94 fixes the following issues : postgresql was updated to 9.4.19 : https://www.postgresql.org/docs/current/static/release-9-4-19.html - CVE-2018-10915, bsc#1104199: Fix failure to reset libpq's state fully between connection attempts. postgresql was updated to 9.4.18 : https://www.postgresql.org/about/news/1851/ https://www.postgresql.org/docs/current/static/release-9-4-18.html A dump/restore is not required for those running 9.4.X. However, if the function marking mistakes mentioned in the first changelog entry below affect you, you will want to take steps to correct your database catalogs. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 118320
    published 2018-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118320
    title SUSE SLES11 Security Update : postgresql94 (SUSE-SU-2018:3287-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1080.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915)
    last seen 2019-02-21
    modified 2018-10-10
    plugin id 117604
    published 2018-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117604
    title Amazon Linux AMI : postgresql92 (ALAS-2018-1080)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2564-1.NASL
    description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : https://www.postgresql.org/about/news/1851/ https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed: CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed (bsc#1091610). CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 120090
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120090
    title SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2018:2564-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201810-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-201810-08 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. In addition it was discovered that Gentoo’s PostgreSQL installation suffered from a privilege escalation vulnerability due to a runscript which called OpenRC’s checkpath() on a user controlled path and allowed user running PostgreSQL to kill arbitrary processes via PID file manipulation. Impact : A remote attacker could bypass certain client-side connection security features, read arbitrary server memory or alter certain data. In addition, a local attacker could gain privileges or cause a Denial of Service condition by killing arbitrary processes. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-10-31
    plugin id 118508
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118508
    title GLSA-201810-08 : PostgreSQL: Multiple vulnerabilities
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0178_POSTGRESQL.NASL
    description An update of the postgresql package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121879
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121879
    title Photon OS 1.0: Postgresql PHSA-2018-1.0-0178
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1079.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915) It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could exploit this to update other columns in the same table.(CVE-2018-10925)
    last seen 2019-02-21
    modified 2018-10-19
    plugin id 117603
    published 2018-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117603
    title Amazon Linux AMI : postgresql93 / postgresql94,postgresql95 (ALAS-2018-1079)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3377-1.NASL
    description This update for postgresql96 to 9.6.10 fixes the following issues : These security issues were fixed : CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202) For addition details please see https://www.postgresql.org/docs/current/static/release-9-6-10.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 118387
    published 2018-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118387
    title SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2018:3377-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4269.NASL
    description Two vulnerabilities have been found in the PostgreSQL database system : - CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. - CVE-2018-10925 It was discovered that some 'CREATE TABLE' statements could disclose server memory. For additional information please refer to the upstream announcement at https://www.postgresql.org/about/news/1878/
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 111653
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111653
    title Debian DSA-4269-1 : postgresql-9.6 - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1074.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915) It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could exploit this to update other columns in the same table.(CVE-2018-10925)
    last seen 2019-02-21
    modified 2018-10-19
    plugin id 117346
    published 2018-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117346
    title Amazon Linux AMI : postgresql96 (ALAS-2018-1074)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1278.NASL
    description This update for postgresql96 to 9.6.10 fixes the following issues : These security issues were fixed : - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202) For addition details please see https://www.postgresql.org/docs/current/static/release-9-6-10.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 118448
    published 2018-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118448
    title openSUSE Security Update : postgresql96 (openSUSE-2018-1278)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0087_POSTGRESQL.NASL
    description An update of the postgresql package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121988
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121988
    title Photon OS 2.0: Postgresql PHSA-2018-2.0-0087
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3744-1.NASL
    description Andrew Krasichkov discovered that the PostgreSQL client library incorrectly reset its internal state between connections. A remote attacker could possibly use this issue to bypass certain client-side connection security features. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10915) It was discovered that PostgreSQL incorrectly checked authorization on certain statements. A remote attacker could possibly use this issue to read arbitrary server memory or alter certain data. (CVE-2018-10925). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111844
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111844
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : postgresql-10, postgresql-9.3, postgresql-9.5 vulnerabilities (USN-3744-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1118.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915) It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could exploit this to update other columns in the same table.(CVE-2018-10925)
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 119477
    published 2018-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119477
    title Amazon Linux AMI : postgresql95 (ALAS-2018-1118)
  • NASL family Databases
    NASL id POSTGRESQL_20180809.NASL
    description The version of PostgreSQL installed on the remote host is 9.3.x prior to 9.3.24, 9.4.x prior to 9.4.19, 9.5.x prior to 9.5.14, 9.6.x prior to 9.6.10, or 10.x prior to 10.5. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-12-14
    plugin id 111966
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111966
    title PostgreSQL 9.3.x < 9.3.24 / 9.4.x < 9.4.19 / 9.5.x < 9.5.14 / 9.6.x < 9.6.10 / 10.x < 10.5 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_96EAB8749C7911E8B34B6CC21735F730.NASL
    description The PostgreSQL project reports : CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the 'dblink' or 'postgres_fdw' extensions, to login to servers they should not be able to access. CVE-2018-10925: Memory disclosure and missing authorization in `INSERT ... ON CONFLICT DO UPDATE` An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111656
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111656
    title FreeBSD : PostgreSQL -- two vulnerabilities (96eab874-9c79-11e8-b34b-6cc21735f730)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-D8F5AEA89D.NASL
    description update to 9.6.10, CVE-2018-10915 CVE-2018-10925 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-10-19
    plugin id 111770
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111770
    title Fedora 27 : postgresql (2018-d8f5aea89d)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-5D1F7BD2D7.NASL
    description update to 10.5, CVE-2018-10915, CVE-2018-10925 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120455
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120455
    title Fedora 28 : postgresql (2018-5d1f7bd2d7)
redhat via4
advisories
  • bugzilla
    id 1609891
    title CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment postgresql is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557007
        • comment postgresql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908006
      • AND
        • comment postgresql-contrib is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557015
        • comment postgresql-contrib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908014
      • AND
        • comment postgresql-devel is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557025
        • comment postgresql-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908010
      • AND
        • comment postgresql-docs is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557023
        • comment postgresql-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908016
      • AND
        • comment postgresql-libs is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557013
        • comment postgresql-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908024
      • AND
        • comment postgresql-plperl is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557021
        • comment postgresql-plperl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908022
      • AND
        • comment postgresql-plpython is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557027
        • comment postgresql-plpython is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908018
      • AND
        • comment postgresql-pltcl is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557017
        • comment postgresql-pltcl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908020
      • AND
        • comment postgresql-server is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557011
        • comment postgresql-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908012
      • AND
        • comment postgresql-static is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557005
        • comment postgresql-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20171983026
      • AND
        • comment postgresql-test is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557009
        • comment postgresql-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908008
      • AND
        • comment postgresql-upgrade is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557019
        • comment postgresql-upgrade is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150750037
    rhsa
    id RHSA-2018:2557
    released 2018-08-23
    severity Important
    title RHSA-2018:2557: postgresql security update (Important)
  • rhsa
    id RHSA-2018:2511
  • rhsa
    id RHSA-2018:2565
  • rhsa
    id RHSA-2018:2566
  • rhsa
    id RHSA-2018:2643
  • rhsa
    id RHSA-2018:2721
  • rhsa
    id RHSA-2018:2729
  • rhsa
    id RHSA-2018:3816
rpms
  • postgresql-0:9.2.24-1.el7_5
  • postgresql-contrib-0:9.2.24-1.el7_5
  • postgresql-devel-0:9.2.24-1.el7_5
  • postgresql-docs-0:9.2.24-1.el7_5
  • postgresql-libs-0:9.2.24-1.el7_5
  • postgresql-plperl-0:9.2.24-1.el7_5
  • postgresql-plpython-0:9.2.24-1.el7_5
  • postgresql-pltcl-0:9.2.24-1.el7_5
  • postgresql-server-0:9.2.24-1.el7_5
  • postgresql-static-0:9.2.24-1.el7_5
  • postgresql-test-0:9.2.24-1.el7_5
  • postgresql-upgrade-0:9.2.24-1.el7_5
refmap via4
bid 105054
confirm
debian DSA-4269
gentoo GLSA-201810-08
mlist [debian-lts-announce] 20180815 [SECURITY] [DLA 1464-1] postgresql-9.4 security update
sectrack 1041446
ubuntu USN-3744-1
Last major update 09-08-2018 - 16:29
Published 09-08-2018 - 16:29
Last modified 02-10-2019 - 20:03
Back to Top