Обсуждение: CVE-2018-1058
Please help me understand about security patch.
"CVE-2018-1058"
The changes seen are only in pg_dump. Why I have to do the query part separately?. It should be solved by default.
Is there anything else fixed in the patch ?
Hi Karan, the vulnerability affects the DB in its whole. As i read it, the fix is about: 'Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane) pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijackingdescribed in the previous changelog entry; since these applications are commonly run by superusers, they presentparticularly attractive targets. To make them secure whether or not the installation as a whole has been secured,modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes nowdo the same, as well.' (taken from https://www.postgresql.org/docs/current/static/release-9-6-8.html ) Maybe you want to have a look to the page where the vulnerability is explained in detail: https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path It is in my opinion an excellent guide to understand CVE-2018-1058 Regards, fabio pardi On 03/17/2018 12:34 AM, karan sharma wrote: > Please help me understand about security patch. > "CVE-2018-1058" > > The changes seen are only in pg_dump. Why I have to do the query part separately?. It should be solved by default. > > Is there anything else fixed in the patch ?