In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples.
The following products only contain the JBDC postgresql driver, not the server and are not affected: * Red Hat Decision Manager * Red Hat Process Automation Manager
Acknowledgments: Name: the PostgreSQL project Upstream: Andreas Seltenreich
Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1739212]
External References: https://www.postgresql.org/about/news/1960/
Hello, May I know if Linux PostgreSQL 7.1beta6 version is also affected and requires this fix? Any heads up will be appreciated. Thank you in advance. Best Regards,
Upstream fix : postgresql-11 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a034418cfc85fffa300d4d44792561c09e76f68b
In reply to comment #9: > May I know if Linux PostgreSQL 7.1beta6 version is also affected and > requires this fix? Any heads up will be appreciated. This vulnerability was introduced with commit bf6c614a2, and thus affects only PostgreSQL version 11. Older versions are safe from that vulnerability.
(In reply to Cedric Buissart 🐶 from comment #11) > In reply to comment #9: > > May I know if Linux PostgreSQL 7.1beta6 version is also affected and > > requires this fix? Any heads up will be appreciated. > This vulnerability was introduced with commit bf6c614a2, and thus affects > only PostgreSQL version 11. Older versions are safe from that vulnerability. Thanks a lot Cedric for clarification.
Red Hat Gluster Storage 3 ships JDBC part of postgresql embedded in rhevm-dependencies, hence not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10209