Описание
Security update for postgresql10
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2018-16850: Fixed improper quoting of transition table names when pg_dump emits CREATE TRIGGER could have caused privilege escalation (bsc#1114837).
Non-security issues fixed:
- Update to release 10.6:
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15
libpq5-10.6-4.8.1
postgresql10-10.6-4.8.1
SUSE Linux Enterprise Module for Package Hub 15
postgresql10-test-10.6-4.8.1
SUSE Linux Enterprise Module for Server Applications 15
libecpg6-10.6-4.8.1
postgresql10-contrib-10.6-4.8.1
postgresql10-devel-10.6-4.8.1
postgresql10-docs-10.6-4.8.1
postgresql10-plperl-10.6-4.8.1
postgresql10-plpython-10.6-4.8.1
postgresql10-pltcl-10.6-4.8.1
postgresql10-server-10.6-4.8.1
Ссылки
- Link for SUSE-SU-2018:3942-1
- E-Mail link for SUSE-SU-2018:3942-1
- SUSE Security Ratings
- SUSE Bug 1114837
- SUSE CVE CVE-2018-16850 page
Описание
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15:libpq5-10.6-4.8.1
SUSE Linux Enterprise Module for Basesystem 15:postgresql10-10.6-4.8.1
SUSE Linux Enterprise Module for Package Hub 15:postgresql10-test-10.6-4.8.1
SUSE Linux Enterprise Module for Server Applications 15:libecpg6-10.6-4.8.1
Ссылки
- CVE-2018-16850
- SUSE Bug 1114837