Date: Fri, 10 Aug 2018 08:56:53 +0000 (UTC) From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r476813 - head/security/vuxml Message-ID: <201808100856.w7A8urt3038005@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: girgen Date: Fri Aug 10 08:56:53 2018 New Revision: 476813 URL: https://svnweb.freebsd.org/changeset/ports/476813 Log: Add entry about postgresql vulnerabilites Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Aug 10 08:45:06 2018 (r476812) +++ head/security/vuxml/vuln.xml Fri Aug 10 08:56:53 2018 (r476813) @@ -58,6 +58,66 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="96eab874-9c79-11e8-b34b-6cc21735f730"> + <topic>PostgreSQL -- two vulnerabilities</topic> + <affects> + <package> + <name>postgresql10-server</name> + <range><lt>10.5</lt></range> + </package> + <package> + <name>postgresql96-server</name> + <range><lt>9.6.10</lt></range> + </package> + <package> + <name>postgresql95-server</name> + <range><lt>9.5.14</lt></range> + </package> + <package> + <name>postgresql94-server</name> + <range><lt>9.4.19</lt></range> + </package> + <package> + <name>postgresql93-server</name> + <range><lt>9.3.24</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The PostgreSQL project reports:</p> + <blockquote cite="https://www.postgresql.org/about/news/1878/">; + <p>CVE-2018-10915: Certain host connection parameters defeat + client-side security defenses</p> + <p>libpq, the client connection API for PostgreSQL that is also used + by other connection libraries, had an internal issue where it did not + reset all of its connection state variables when attempting to + reconnect. In particular, the state variable that determined whether + or not a password is needed for a connection would not be reset, which + could allow users of features requiring libpq, such as the "dblink" or + "postgres_fdw" extensions, to login to servers they should not be able + to access.</p> + <p>CVE-2018-10925: Memory disclosure and missing authorization in + `INSERT ... ON CONFLICT DO UPDATE`</p> + <p>An attacker able to issue CREATE TABLE can read arbitrary bytes of + server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) + query. By default, any user can exploit that. A user that has + specific INSERT privileges and an UPDATE privilege on at least one + column in a given table can also update other columns using a view and + an upsert query.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.postgresql.org/about/news/1878/</url>; + <cvename>CVE-2018-10915</cvename> + <cvename>CVE-2018-10925</cvename> + </references> + <dates> + <discovery>2018-08-09</discovery> + <entry>2018-08-10</entry> + </dates> + </vuln> + <vuln vid="909be51b-9b3b-11e8-add2-b499baebfeaf"> <topic>MySQL -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808100856.w7A8urt3038005>