Описание
ELSA-2017-3402: postgresql security update (MODERATE)
[9.2.23-3]
- setup: keep PGSETUP_* variables after switching to not-privileged user
[9.2.23-2]
- fix CVE-2017-12172
Обновленные пакеты
Oracle Linux 7
Oracle Linux aarch64
postgresql
9.2.23-3.el7_4
postgresql-contrib
9.2.23-3.el7_4
postgresql-devel
9.2.23-3.el7_4
postgresql-docs
9.2.23-3.el7_4
postgresql-libs
9.2.23-3.el7_4
postgresql-plperl
9.2.23-3.el7_4
postgresql-plpython
9.2.23-3.el7_4
postgresql-pltcl
9.2.23-3.el7_4
postgresql-server
9.2.23-3.el7_4
postgresql-static
9.2.23-3.el7_4
postgresql-test
9.2.23-3.el7_4
postgresql-upgrade
9.2.23-3.el7_4
Oracle Linux x86_64
postgresql
9.2.23-3.el7_4
postgresql-contrib
9.2.23-3.el7_4
postgresql-devel
9.2.23-3.el7_4
postgresql-docs
9.2.23-3.el7_4
postgresql-libs
9.2.23-3.el7_4
postgresql-plperl
9.2.23-3.el7_4
postgresql-plpython
9.2.23-3.el7_4
postgresql-pltcl
9.2.23-3.el7_4
postgresql-server
9.2.23-3.el7_4
postgresql-static
9.2.23-3.el7_4
postgresql-test
9.2.23-3.el7_4
postgresql-upgrade
9.2.23-3.el7_4
Связанные CVE
Связанные уязвимости
Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.