Date: Fri, 10 May 2019 12:41:16 +0000 (UTC) From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r501171 - head/security/vuxml Message-ID: <201905101241.x4ACfGFA059894@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: girgen Date: Fri May 10 12:41:15 2019 New Revision: 501171 URL: https://svnweb.freebsd.org/changeset/ports/501171 Log: Add security issues from latest postgresql release Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri May 10 12:34:55 2019 (r501170) +++ head/security/vuxml/vuln.xml Fri May 10 12:41:15 2019 (r501171) @@ -58,6 +58,86 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="065890c3-725e-11e9-b0e1-6cc21735f730"> + <topic>PostgreSQL -- Selectivity estimators bypass row security policies</topic> + <affects> + <package> + <name>postgresql11-server</name> + <range><lt>11.3</lt></range> + </package> + <package> + <name>postgresql10-server</name> + <range><lt>10.8</lt></range> + </package> + <package> + <name>postgresql96-server</name> + <range><lt>9.6.13</lt></range> + </package> + <package> + <name>postgresql95-server</name> + <range><lt>9.5.17</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The PostgreSQL project reports:</p> + <blockquote cite="https://www.postgresql.org/about/news/1939/">; + <p> + PostgreSQL maintains statistics for tables by sampling + data available in columns; this data is consulted during + the query planning process. Prior to this release, a user + able to execute SQL queries with permissions to read a + given column could craft a leaky operator that could + read whatever data had been sampled from that column. + If this happened to include values from rows that the user + is forbidden to see by a row security policy, the user + could effectively bypass the policy. This is fixed by only + allowing a non-leakproof operator to use this data if + there are no relevant row security policies for the table. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://www.postgresql.org/about/news/1939/</url>; + <cvename>CVE-2019-10130</cvename> + </references> + <dates> + <discovery>2019-05-09</discovery> + <entry>2019-05-09</entry> + </dates> + </vuln> + + <vuln vid="e66a5440-7258-11e9-b0e1-6cc21735f730"> + <topic>PostgreSQL -- Memory disclosure in partition routing</topic> + <affects> + <package> + <name>postgresql11-server</name> + <range><lt>11.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The PostgreSQL project reports:</p> + <blockquote cite="https://www.postgresql.org/about/news/1939/">; + <p> + Prior to this release, a user running PostgreSQL 11 can read + arbitrary bytes of server memory by executing a purpose-crafted + INSERT statement to a partitioned table. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://www.postgresql.org/about/news/1939/</url>; + <cvename>CVE-2019-10129</cvename> + </references> + <dates> + <discovery>2019-05-09</discovery> + <entry>2019-05-09</entry> + </dates> + </vuln> + <vuln vid="a1de4ae9-6fda-11e9-9ba0-4c72b94353b5"> <topic>gitea -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905101241.x4ACfGFA059894>