Hi, > -----Original Message----- > From: Stephen Frost [mailto:sfrost@postgresql.org] > Sent: Thursday, May 10, 2018 10:37 PM > To: pgsql-announce@lists.postgresql.org > Subject: PostgreSQL 2018-05-10 Security Update Release > > Security Issues > --------------- > > One security vulnerability has been closed by this release: > > * CVE-2018-1115: Too-permissive access control list on function > pg_logfile_rotate() > > * Security Page: https://www.postgresql.org/support/security/
Thanks for the announcement. I think "Component & CVSS v3 Base Score" column for "CVE-2018-1115" was wrong. The Base Score appears 0.0 but it should be 4.2.
And the Base Metrics also need to change like? - AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N + AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Or am I missing something?
It seems RedHat have changed the CVSS vector from the one that we submitted to them. The PostgreSQL Security Team assigned the score and vector as is listed on the PostgreSQL website, so that is the correct one as standing.
I have pinged the RedHat team to see if they did this intentionally,or if it was a mistake.