A flaw was found in PostgreSQL. The chief PostgreSQL client library, libpq, does not adequately reset its internal state before each connection attempt. When one requests a connection using a "host" or "hostaddr" connection parameter provided by an untrusted party, that party can thwart three security-relevant features of the client. First, they can cause PQconnectionUsedPassword() to erroneously return true. Users of contrib module "dblink" or "postgres_fdw" can leverage that to use server-side login credentials that they should not be able to use. Second, attackers can cause the PQescape*() family of functions to malfunction, permitting SQL injection in "postgres_fdw" and likely in other applications. Third, attackers can cause sslmode=prefer to not attempt SSL/TLS at all
Acknowledgments: Name: the PostgreSQL project Upstream: Andrew Krasichkov
External References: https://www.postgresql.org/about/news/1878/
Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1614405] Affects: fedora-all [bug 1614407] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1614404]
Upstream commit: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=d1c6a14bacfa5fe7690e2c71b1626dbc87a57355
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2511 https://access.redhat.com/errata/RHSA-2018:2511
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2557 https://access.redhat.com/errata/RHSA-2018:2557
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2565 https://access.redhat.com/errata/RHSA-2018:2565
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2566 https://access.redhat.com/errata/RHSA-2018:2566
Statement: This vulnerability is only exploitable where an attacker can provide or influence connection parameters to a PostgreSQL client application using libpq. Contrib modules "dblink" and "postgres_fdw" are examples of applications affected by this flaw. Red Hat Virtualization includes vulnerable versions of postgresql. However this flaw is not known to be exploitable under any supported configuration of Red Hat Virtualization. A future update may address this issue. This issue affects the versions of the rh-postgresql95-postgresql package as shipped with Red Hat Satellite 5.7 and 5.8. However, this flaw is not known to be exploitable under any supported scenario in Satellite 5. A future update may address this issue.
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643
This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2018:3816 https://access.redhat.com/errata/RHSA-2018:3816