Hi Karan,
the vulnerability affects the DB in its whole.
As i read it, the fix is about:
'Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of
hijackingdescribed in the previous changelog entry; since these applications are commonly run by superusers, they
presentparticularly attractive targets. To make them secure whether or not the installation as a whole has been
secured,modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes
nowdo the same, as well.'
(taken from https://www.postgresql.org/docs/current/static/release-9-6-8.html )
Maybe you want to have a look to the page where the vulnerability is explained in detail:
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
It is in my opinion an excellent guide to understand CVE-2018-1058
Regards,
fabio pardi
On 03/17/2018 12:34 AM, karan sharma wrote:
> Please help me understand about security patch.
> "CVE-2018-1058"
>
> The changes seen are only in pg_dump. Why I have to do the query part separately?. It should be solved by default.
>
> Is there anything else fixed in the patch ?