Описание
Security update for postgresql10
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2018-16850: Fixed improper quoting of transition table names when pg_dump emits CREATE TRIGGER could have caused privilege escalation (bsc#1114837).
Non-security issues fixed:
- Update to release 10.6:
Список пакетов
SUSE Linux Enterprise Desktop 12 SP4
libecpg6-10.6-1.6.1
libpq5-10.6-1.6.1
libpq5-32bit-10.6-1.6.1
postgresql10-10.6-1.6.1
SUSE Linux Enterprise Server 12 SP4
libecpg6-10.6-1.6.1
libpq5-10.6-1.6.1
libpq5-32bit-10.6-1.6.1
postgresql10-10.6-1.6.1
postgresql10-contrib-10.6-1.6.1
postgresql10-docs-10.6-1.6.1
postgresql10-server-10.6-1.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4
libecpg6-10.6-1.6.1
libpq5-10.6-1.6.1
libpq5-32bit-10.6-1.6.1
postgresql10-10.6-1.6.1
postgresql10-contrib-10.6-1.6.1
postgresql10-docs-10.6-1.6.1
postgresql10-server-10.6-1.6.1
SUSE Linux Enterprise Software Development Kit 12 SP4
postgresql10-devel-10.6-1.6.1
Ссылки
- Link for SUSE-SU-2018:3770-2
- E-Mail link for SUSE-SU-2018:3770-2
- SUSE Security Ratings
- SUSE Bug 1114837
- SUSE CVE CVE-2018-16850 page
Описание
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP4:libecpg6-10.6-1.6.1
SUSE Linux Enterprise Desktop 12 SP4:libpq5-10.6-1.6.1
SUSE Linux Enterprise Desktop 12 SP4:libpq5-32bit-10.6-1.6.1
SUSE Linux Enterprise Desktop 12 SP4:postgresql10-10.6-1.6.1
Ссылки
- CVE-2018-16850
- SUSE Bug 1114837