Обсуждение: Re: PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25Released!
Hi, following up to -advocacy. Am Donnerstag, den 08.11.2018, 08:38 -0500 schrieb Jonathan S. Katz: > The PostgreSQL Global Development Group has released an update to all > supported versions of our database system, including 11.1, 10.6, 9.6.11, > 9.5.15, 9.4.20, and 9.3.25. This release fixes one security issue as > well as bugs reported over the last three months. [...] > Security Issues > --------------- > > One security vulnerability has been closed by this release: > > * CVE-2018-16850: SQL injection in `pg_upgrade` and `pg_dump`, via > `CREATE TRIGGER ... REFERENCING`. > > Using a purpose-crafted trigger definition, an attacker can run > arbitrary SQL statements with superuser privileges when a superuser runs > `pg_upgrade` on the database or during a pg_dump dump/restore cycle. > This attack requires a `CREATE` privilege on some non-temporary schema > or a `TRIGGER` privilege on a table. This is exploitable in the default > PostgreSQL configuration, where all users have `CREATE` privilege on > `public` schema. AIUI, this security issue only affects v10 and v11, but this is not clear from the announcement AFAICT, unless I missed it? I think it would be good to mention the exact versions that are affected by a CVE in the announcement; of course it is always possible to inspect the individual release notes, but having the information up front would be nice (again, unless I am missing something). Michael -- Michael Banck Projektleiter / Senior Berater Tel.: +49 2166 9901-171 Fax: +49 2166 9901-100 Email: michael.banck@credativ.de credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer Unser Umgang mit personenbezogenen Daten unterliegt folgenden Bestimmungen: https://www.credativ.de/datenschutz
Hi Michael, On 11/9/18 4:45 AM, Michael Banck wrote: > > AIUI, this security issue only affects v10 and v11, but this is not > clear from the announcement AFAICT, unless I missed it? > > I think it would be good to mention the exact versions that are affected > by a CVE in the announcement; of course it is always possible to inspect > the individual release notes, but having the information up front would > be nice (again, unless I am missing something). That is a fair point. I have looked through the past few announcements and we have not included affected versions, just links to the CVE, which do detail the versions available as well as the release notes which you mention above. It probably would have helped to do that, and I look into updating it on the website at a minimum. That said, when I was drafting the announcement, it was becoming a bit convoluted to craft clear instructions based on the security release + additional upgrade steps for pg_stat_statements. I opted for keeping it simple. And there is still a problem of people not upgrading to the latest bug fix releases. If there is language or motivation to continue to stay on the point releases, personally I'd prefer to encourage that. Thanks! Jonathan
Вложения
On 11/9/18 9:18 AM, Jonathan S. Katz wrote: > Hi Michael, > > On 11/9/18 4:45 AM, Michael Banck wrote: >> >> AIUI, this security issue only affects v10 and v11, but this is not >> clear from the announcement AFAICT, unless I missed it? >> >> I think it would be good to mention the exact versions that are affected >> by a CVE in the announcement; of course it is always possible to inspect >> the individual release notes, but having the information up front would >> be nice (again, unless I am missing something). > > I look into updating it on the website at a minimum. I went ahead and added it to the site announcement. Thanks! Jonathan
Вложения
That link to the security vulnerability CVE-2018-16850 is broken in the announcement. Best, Abdullah Alger > On Nov 9, 2018, at 6:27 AM, Jonathan S. Katz <jkatz@postgresql.org> wrote: > > On 11/9/18 9:18 AM, Jonathan S. Katz wrote: >> Hi Michael, >> >> On 11/9/18 4:45 AM, Michael Banck wrote: >>> >>> AIUI, this security issue only affects v10 and v11, but this is not >>> clear from the announcement AFAICT, unless I missed it? >>> >>> I think it would be good to mention the exact versions that are affected >>> by a CVE in the announcement; of course it is always possible to inspect >>> the individual release notes, but having the information up front would >>> be nice (again, unless I am missing something). >> >> I look into updating it on the website at a minimum. > > I went ahead and added it to the site announcement. > > Thanks! > > Jonathan >
> On Nov 9, 2018, at 11:59 AM, Abdullah Alger <abdullahalger@me.com> wrote: > > That link to the security vulnerability CVE-2018-16850 is broken in the announcement. Unfortunately it has not been published by Red Hat yet. That part is out of our control. Thanks! Jonathan