Bug 1547044 (CVE-2018-1058)
Summary: | CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, bdawidow, bkearney, chazlett, cpelland, dajohnso, databases-maint, devrim, dffrench, dmetzger, dmoppert, drieden, drusso, gblomqui, glamb, gmccullo, gtanzill, gvarsami, hhorak, hhudgeon, huzaifas, jcoleman, jfrey, jhardy, jmadigan, jmlich83, jorton, jprause, jshepherd, jstanek, kconner, kdixon, ldimaggi, lgriffin, loleary, meissner, mike, ngough, nwallace, obarenbo, pdrozd, pkubat, praiskup, pwright, roliveri, rrajasek, rwagner, security-response-team, simaishi, spinder, sthorger, tcunning, tgl, theute, thomas, tkirby, tlestach, trepel, trupti_pardeshi, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | postgresql 10.3, postgresql 9.6.8, postgresql 9.5.12, postgresql 9.4.17, postgresql 9.3.22 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:40:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1549755, 1549756, 1549759, 1549760, 1550901, 1550902, 1550903, 1550904, 1612669, 1612670, 1612671, 1612672 | ||
Bug Blocks: | 1547046 |
Description
Pedro Sampaio
2018-02-20 12:09:54 UTC
Both RHMAP services unified-push-server, and millicore don't use a Postgres database. Marking them as not affected. JON does not include a Postgres database, but does use one. Upgrading the database to 9.5.12 to pick up a fix for this issue would be a good idea for JON users, and will not break compatibility. https://access.redhat.com/documentation/en-us/red_hat_jboss_operations_network/3.3/html/installation_guide/setting-up-dbs External References: https://www.postgresql.org/about/news/1834/ Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1550902] Affects: fedora-all [bug 1550903] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1550901] Mitigation: Upstream suggests the following mitigation can be used to protect against this security flaw: https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path Statement: This issue affects the versions of Postgresql as shipped with Red Hat Satellite 5. Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2511 https://access.redhat.com/errata/RHSA-2018:2511 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2566 https://access.redhat.com/errata/RHSA-2018:2566 This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2018:3816 https://access.redhat.com/errata/RHSA-2018:3816 Hello, May I know if Linux PostgreSQL 7.1beta6 version is also affected and requires this fix? Any heads up will be appreciated. Thank you in advance. Best Regards, |