rh-postgresql96-postgresql-9.6.10-1.AXS4

エラータID: AXSA:2018-3314:01

リリース日: 
2018/09/05 Wednesday - 11:21
題名: 
rh-postgresql96-postgresql-9.6.10-1.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-postgresql96-postgresql (9.6.10). (BZ#1614340)

Security Fix(es):

* postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915)

* postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements (CVE-2018-10925)

* postgresql: Memory disclosure in JSON functions (CVE-2017-15098)

* postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask (CVE-2018-1053)

* postgresql: Uncontrolled search path element in pg_dump and other client applications (CVE-2018-1058)

* postgresql: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges (CVE-2017-15099)

* postgresql: Too-permissive access control list on function pg_logfile_rotate() (CVE-2018-1115)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Asianux would like to thank the PostgreSQL project for reporting CVE-2018-10915, CVE-2018-10925, CVE-2017-15098, CVE-2018-1053, CVE-2017-15099, and CVE-2018-1115. Upstream acknowledges Andrew Krasichkov as the original reporter of CVE-2018-10915; David Rowley as the original reporter of CVE-2017-15098; Tom Lane as the original reporter of CVE-2018-1053; Dean Rasheed as the original reporter of CVE-2017-15099; and Stephen Frost as the original reporter of CVE-2018-1115.

CVE-2017-15098
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
CVE-2017-15099
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
CVE-2018-1053
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file.
CVE-2018-1058
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.
CVE-2018-1115
postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation.
CVE-2018-10915
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.
CVE-2018-10925
It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-postgresql96-postgresql-9.6.10-1.AXS4.src.rpm
    MD5: c48d5c50774c551c77d31a958dc5adfd
    SHA-256: b106cd059e3db8f6c5834cb398922ca55116513e2f6193888ff3075a72e9a6e5
    Size: 27.49 MB

Asianux Server 4 for x86_64
  1. rh-postgresql96-postgresql-9.6.10-1.AXS4.x86_64.rpm
    MD5: 05ff9bda32e0546ce77b3e4bc81e251f
    SHA-256: e64392f6da5b8a458d5c639ac0720b34551e5ba03179491fe8df942436bf937a
    Size: 1.33 MB
  2. rh-postgresql96-postgresql-contrib-9.6.10-1.AXS4.x86_64.rpm
    MD5: c2f76f1be5fadcd1d9b1110e0c9ff802
    SHA-256: 216411c2c8bd271095000e051512ef46ef4da41959dece4e1848b45181db0e66
    Size: 627.32 kB
  3. rh-postgresql96-postgresql-contrib-syspaths-9.6.10-1.AXS4.x86_64.rpm
    MD5: b7ecc84b0789ddc02ef57670ac78094b
    SHA-256: d7e53973b3289219059d52bf7a07fed609a95b1704206940c36ff86e13f6e107
    Size: 39.65 kB
  4. rh-postgresql96-postgresql-devel-9.6.10-1.AXS4.x86_64.rpm
    MD5: c60ae2c08badba79714ac05c2a7ff002
    SHA-256: f472e565e956c673adc5591caae6920d094300b053fbf52b506b9d5868ab3f2b
    Size: 1.19 MB
  5. rh-postgresql96-postgresql-docs-9.6.10-1.AXS4.x86_64.rpm
    MD5: 24a1c8a51ef7f4d96235b2d9c5c882ed
    SHA-256: 38b8d508ccb32b701672699a31a9cf9091cae85943e071c1ec64a02b2d777923
    Size: 10.97 MB
  6. rh-postgresql96-postgresql-libs-9.6.10-1.AXS4.x86_64.rpm
    MD5: b0a60f97d2d055fea146c8b17539c43b
    SHA-256: 7922be0fd35d5f51c727d169b8d98b4d4facea8bb33814b7915c6a6c0754bb0f
    Size: 240.22 kB
  7. rh-postgresql96-postgresql-plperl-9.6.10-1.AXS4.x86_64.rpm
    MD5: a0f73b19980cb0ab2e0f74f4601eee8d
    SHA-256: db45cc65d22d9451e6138763c333dbe8c931cec10b64158321457e829fd0a44c
    Size: 87.12 kB
  8. rh-postgresql96-postgresql-plpython-9.6.10-1.AXS4.x86_64.rpm
    MD5: 3744d84c7bd0ad7453bb516a08513e1b
    SHA-256: 66b85b1be5b148a511c768d7dda3c07931170752d3206bd3b212fbe7ff71117d
    Size: 104.62 kB
  9. rh-postgresql96-postgresql-pltcl-9.6.10-1.AXS4.x86_64.rpm
    MD5: 3b5db759835e122d7f166f9547a4ab2b
    SHA-256: f3793d7c80c234c4d7983cefa6aab61e0558e31be48c11cda58838245ec7e739
    Size: 69.11 kB
  10. rh-postgresql96-postgresql-server-9.6.10-1.AXS4.x86_64.rpm
    MD5: f089fe8eb641ca109a85e213bcf884c9
    SHA-256: 6462f192ed371bff719ee18a6a433d12deecfc7daacfb313f1be378641dc0317
    Size: 5.42 MB
  11. rh-postgresql96-postgresql-server-syspaths-9.6.10-1.AXS4.x86_64.rpm
    MD5: 76866c6b5c22dc4f82d33c7e68f97b79
    SHA-256: 2cf6310738a19fc815481ed4d61963ce042cbe608ef3dc57757e76a1af022861
    Size: 40.62 kB
  12. rh-postgresql96-postgresql-static-9.6.10-1.AXS4.x86_64.rpm
    MD5: 9c26288fac86e610a310c2f4ec813773
    SHA-256: 64b8c96fd56dc06876421a0ffa71fbbf203aafc7c086587a5968046e7481cf1c
    Size: 72.21 kB
  13. rh-postgresql96-postgresql-syspaths-9.6.10-1.AXS4.x86_64.rpm
    MD5: b99314b739e25a9b3e3b4a8efd01a4e3
    SHA-256: 6246cd6d08cddec8e0cb5e83debe172243826faa6644527c3098f38e3ca0ef99
    Size: 41.28 kB
  14. rh-postgresql96-postgresql-test-9.6.10-1.AXS4.x86_64.rpm
    MD5: 915fecbbc2cc74acf3901c5cb87276e2
    SHA-256: 04ebe461888383f51ec4c5d61c4f88e69a6bbe8fe4d6007a77124446a480f719
    Size: 1.54 MB