group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #25510
[Bug 1786938] Re: New upstream microreleases 9.3.24, 9.5.14, and 10.5
This bug was fixed in the package postgresql-9.5 - 9.5.14-0ubuntu0.16.04
---------------
postgresql-9.5 (9.5.14-0ubuntu0.16.04) xenial-security; urgency=medium
* New upstream release (LP: #1786938)
- Fix failure to reset libpq's state fully between connection attempts
.
An unprivileged user of dblink or postgres_fdw could bypass the checks
intended to prevent use of server-side credentials, such as a ~/.pgpass
file owned by the operating-system user running the server. Servers
allowing peer authentication on local connections are particularly
vulnerable. Other attacks such as SQL injection into a postgres_fdw
session are also possible. Attacking postgres_fdw in this way requires
the ability to create a foreign server object with selected connection
parameters, but any user with access to dblink could exploit the
problem. In general, an attacker with the ability to select the
connection parameters for a libpq-using application could cause
mischief, though other plausible attack scenarios are harder to think
of. Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
- Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT
FROM ...
.
Erroneous expansion of an updatable view could lead to crashes or
attribute ... has the wrong type errors, if the view's SELECT list
doesn't match one-to-one with the underlying table's columns.
Furthermore, this bug could be leveraged to allow updates of columns
that an attacking user lacks UPDATE privilege for, if that user has
INSERT and UPDATE privileges for some other column(s) of the table. Any
user could also use it for disclosure of server memory.
(CVE-2018-10925)
- d/libecpg-dev.install: Add new pgtypes header.
- d/libpgtypes3.symbols: Add new pgtypes symbol.
- Details about these and changes can be found at
https://www.postgresql.org/docs/9.5/static/release-9-5-14.html
-- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> Tue, 14 Aug
2018 14:49:16 +0200
** Changed in: postgresql-10 (Ubuntu Bionic)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1786938
Title:
New upstream microreleases 9.3.24, 9.5.14, and 10.5
Status in postgresql-10 package in Ubuntu:
Fix Released
Status in postgresql-9.3 package in Ubuntu:
Invalid
Status in postgresql-9.5 package in Ubuntu:
Invalid
Status in postgresql-9.3 source package in Trusty:
Fix Released
Status in postgresql-9.5 source package in Xenial:
Fix Released
Status in postgresql-10 source package in Bionic:
Fix Released
Status in postgresql-10 source package in Cosmic:
Fix Released
Bug description:
Postgresql stable update
Current versions in supported releases:
postgresql-9.3 | 9.3.23-0ubuntu0.14.04 trusty
postgresql-9.5 | 9.5.13-0ubuntu0.16.04 xenial
postgresql-10 | 10.4-0ubuntu0.18.04 bionic
postgresql-10 | 10.5-1 cosmic
Special cases:
- Cosmic is already synced from Debians upload
- This is again a security update, so we prep and security will eval and publish through -security
Last related stable updates: 9.3.24, 9.5.14444, 10.5
So the todo is to pick:
MRE: Trusty 9.3.24 from https://ftp.postgresql.org/pub/source/v9.3.24/postgresql-9.3.24.tar.gz
MRE: Xenial 9.5.14 from https://ftp.postgresql.org/pub/source/v9.5.14/postgresql-9.5.14.tar.gz
MRE: Bionic 10.5 from https://ftp.postgresql.org/pub/source/v10.5/postgresql-10.5.tar.gz
Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676
- pad.lv/1752271
New - this bug
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-10/+bug/1786938/+subscriptions
References
