Описание
Security update for postgresql96
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689).
Список пакетов
SUSE Linux Enterprise Desktop 12 SP3
SUSE Linux Enterprise Server 12 SP3
SUSE Linux Enterprise Server for SAP Applications 12 SP3
SUSE Linux Enterprise Software Development Kit 12 SP3
Ссылки
- Link for SUSE-SU-2019:1687-1
- E-Mail link for SUSE-SU-2019:1687-1
- SUSE Security Ratings
- SUSE Bug 1134689
- SUSE CVE CVE-2019-10130 page
Описание
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
Затронутые продукты
Ссылки
- CVE-2019-10130
- SUSE Bug 1134689