[SECURITY] [DLA 1464-1] postgresql-9.4 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1464-1] postgresql-9.4 security update
From: Markus Koschany <apo@debian.org>
Date: Wed, 15 Aug 2018 12:04:13 +0200
Message-id: <[🔎] 452ea18d-cce4-5527-a448-c75a18f85d24@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : postgresql-9.4
Version        : 9.4.19-0+deb8u1
CVE ID         : CVE-2018-10915

An unprivileged user of dblink or postgres_fdw could bypass the checks
intended to prevent use of server-side credentials, such as a ~/.pgpass
file owned by the operating-system user running the server. Servers
allowing peer authentication on local connections are particularly
vulnerable. Other attacks such as SQL injection into a postgres_fdw
session are also possible. Attacking postgres_fdw in this way requires
the ability to create a foreign server object with selected connection
parameters, but any user with access to dblink could exploit the
problem. In general, an attacker with the ability to select the
connection parameters for a libpq-using application could cause
mischief, though other plausible attack scenarios are harder to think
of. Our thanks to Andrew Krasichkov for reporting this issue.

For Debian 8 "Jessie", this problem has been fixed in version
9.4.19-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltz+p1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQKeA//VOCyn7YZkuvF9olTYILzD7D+33irb3V5kkLIvzPUD9Y7FpVfBtpzpgjG
omkRwHZxvY9R54KQzDvuec+3vGaqePUeL/ZPisL/kVS9zKqW3uvssuUed/QYYXRz
LsaeyeH7J9Ng3is6sly1OayVljWAkwN9vW8Mbc0TxQVm0Rb4BDJueuAXcSYKj9KQ
d2ahUx7xGm8V+wf0F7L23sq/q2bVFV+OHNPC0oxOXjfUlnc0j09VDxOqwhWAhw8P
LX1OSusdMRRbCE/IQaeBgJgIBy35A6eT9+GcDox677E0OuN82EQZby9Jen65Bjli
5ogJJU8xmps2eFJoHzAhgBrC353bZjVB0xGdXu20LSUUs1LVQ1tdw6deqb4x57gk
WxMzhQdVnuSiBWSSN8GG4B1nAuoqN7nGK+191f2A83/dWESAcL24rxKTcIwcJCEM
vocPZxrwv+PzrKgCndAeylsiz3R7IDhEQNB+P5L0WN7j3tI6bJCqMvH883BHMa4V
3hDapW0vjOyx8oQPDO55yEiZEOHuZsaQ7K87KYI6hei3+qJzjjcECYePYIMHSRyI
7b9lGfGDOYavfJ2KpyEpg8fB1uXqOMD4Q6xzzvt5juHysHyyjRul1rZ9DApyGKhW
VCB/DxBtZT82zFIW5tlrcbj2eobpA/O8ACnBGWXoCIh2sogd9pg=
=0+v0
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1465-1] blender security update
Next by Date: [SECURITY] [DLA 1467-1] ruby-zip security update
Previous by thread: [SECURITY] [DLA 1465-1] blender security update
Next by thread: [SECURITY] [DLA 1467-1] ruby-zip security update
Index(es):
- Date
- Thread