Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
Postgres FD Implementation
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Abuhujair Javed
Postgres FD Implementation
Commits
e0ee9305
Commit
e0ee9305
authored
6 years ago
by
Tom Lane
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Last-minute updates for release notes.
Security: CVE-2018-10915, CVE-2018-10925
parent
d1c6a14b
No related merge requests found
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
221 additions
and
53 deletions
+221
-53
doc/src/sgml/release-10.sgml
doc/src/sgml/release-10.sgml
+67
-23
doc/src/sgml/release-9.3.sgml
doc/src/sgml/release-9.3.sgml
+28
-0
doc/src/sgml/release-9.4.sgml
doc/src/sgml/release-9.4.sgml
+28
-0
doc/src/sgml/release-9.5.sgml
doc/src/sgml/release-9.5.sgml
+49
-15
doc/src/sgml/release-9.6.sgml
doc/src/sgml/release-9.6.sgml
+49
-15
No files found.
doc/src/sgml/release-10.sgml
View file @
e0ee9305
...
...
@@ -35,6 +35,73 @@
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [d1c6a14ba] 2018-08-06 10:53:35 -0400
Branch: REL_11_STABLE [f6f735f78] 2018-08-06 10:53:35 -0400
Branch: REL_10_STABLE [ab5400469] 2018-08-06 10:53:35 -0400
Branch: REL9_6_STABLE [a8094d0fe] 2018-08-06 10:53:35 -0400
Branch: REL9_5_STABLE [7aabfd1d8] 2018-08-06 10:53:35 -0400
Branch: REL9_4_STABLE [6de9766b8] 2018-08-06 10:53:35 -0400
Branch: REL9_3_STABLE [243de06be] 2018-08-06 10:53:35 -0400
-->
<para>
Fix failure to reset <application>libpq</application>'s state fully
between connection attempts (Tom Lane)
</para>
<para>
An unprivileged user of <filename>dblink</filename>
or <filename>postgres_fdw</filename> could bypass the checks intended
to prevent use of server-side credentials, such as
a <filename>~/.pgpass</filename> file owned by the operating-system
user running the server. Servers allowing peer authentication on
local connections are particularly vulnerable. Other attacks such
as SQL injection into a <filename>postgres_fdw</filename> session
are also possible.
Attacking <filename>postgres_fdw</filename> in this way requires the
ability to create a foreign server object with selected connection
parameters, but any user with access to <filename>dblink</filename>
could exploit the problem.
In general, an attacker with the ability to select the connection
parameters for a <application>libpq</application>-using application
could cause mischief, though other plausible attack scenarios are
harder to think of.
Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
</para>
</listitem>
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [b8a1247a3] 2018-08-04 19:38:58 -0400
Branch: REL_11_STABLE [e7154b6ac] 2018-08-04 19:38:58 -0400
Branch: REL_10_STABLE [f6a124d01] 2018-08-04 19:38:58 -0400
Branch: REL9_6_STABLE [b484bffe7] 2018-08-04 19:38:58 -0400
Branch: REL9_5_STABLE [5ad143cda] 2018-08-04 19:38:59 -0400
-->
<para>
Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
that isn't just <literal>SELECT * FROM ...</literal>
(Dean Rasheed, Amit Langote)
</para>
<para>
Erroneous expansion of an updatable view could lead to crashes
or <quote>attribute ... has the wrong type</quote> errors, if the
view's <literal>SELECT</literal> list doesn't match one-to-one with
the underlying table's columns.
Furthermore, this bug could be leveraged to allow updates of columns
that an attacking user lacks <literal>UPDATE</literal> privilege for,
if that user has <literal>INSERT</literal> and <literal>UPDATE</literal>
privileges for some other column(s) of the table.
Any user could also use it for disclosure of server memory.
(CVE-2018-10925)
</para>
</listitem>
<listitem>
<!--
Author: Andres Freund <andres@anarazel.de>
Branch: master Release: REL_11_BR [a54e1f158] 2018-06-12 11:13:21 -0700
Branch: REL_10_STABLE [2ce64caaf] 2018-06-12 11:13:21 -0700
...
...
@@ -260,29 +327,6 @@ Branch: REL_10_STABLE [4beb25c63] 2018-07-16 17:55:13 -0400
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [b8a1247a3] 2018-08-04 19:38:58 -0400
Branch: REL_11_STABLE [e7154b6ac] 2018-08-04 19:38:58 -0400
Branch: REL_10_STABLE [f6a124d01] 2018-08-04 19:38:58 -0400
Branch: REL9_6_STABLE [b484bffe7] 2018-08-04 19:38:58 -0400
Branch: REL9_5_STABLE [5ad143cda] 2018-08-04 19:38:59 -0400
-->
<para>
Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
that isn't just <literal>SELECT * FROM ...</literal>
(Dean Rasheed, Amit Langote)
</para>
<para>
Erroneous expansion of an updatable view could lead to crashes
or <quote>attribute ... has the wrong type</quote> errors, if the
view's <literal>SELECT</literal> list doesn't match one-to-one with
the underlying table's columns.
</para>
</listitem>
<listitem>
<!--
Author: Peter Geoghegan <pg@bowt.ie>
Branch: master [b3f919da0] 2018-08-03 15:11:31 -0700
Branch: REL_11_STABLE [b9612e5cf] 2018-08-03 14:45:02 -0700
...
...
This diff is collapsed.
Click to expand it.
doc/src/sgml/release-9.3.sgml
View file @
e0ee9305
...
...
@@ -39,6 +39,34 @@
<itemizedlist>
<listitem>
<para>
Fix failure to reset <application>libpq</application>'s state fully
between connection attempts (Tom Lane)
</para>
<para>
An unprivileged user of <filename>dblink</filename>
or <filename>postgres_fdw</filename> could bypass the checks intended
to prevent use of server-side credentials, such as
a <filename>~/.pgpass</filename> file owned by the operating-system
user running the server. Servers allowing peer authentication on
local connections are particularly vulnerable. Other attacks such
as SQL injection into a <filename>postgres_fdw</filename> session
are also possible.
Attacking <filename>postgres_fdw</filename> in this way requires the
ability to create a foreign server object with selected connection
parameters, but any user with access to <filename>dblink</filename>
could exploit the problem.
In general, an attacker with the ability to select the connection
parameters for a <application>libpq</application>-using application
could cause mischief, though other plausible attack scenarios are
harder to think of.
Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
</para>
</listitem>
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
...
...
This diff is collapsed.
Click to expand it.
doc/src/sgml/release-9.4.sgml
View file @
e0ee9305
...
...
@@ -33,6 +33,34 @@
<itemizedlist>
<listitem>
<para>
Fix failure to reset <application>libpq</application>'s state fully
between connection attempts (Tom Lane)
</para>
<para>
An unprivileged user of <filename>dblink</filename>
or <filename>postgres_fdw</filename> could bypass the checks intended
to prevent use of server-side credentials, such as
a <filename>~/.pgpass</filename> file owned by the operating-system
user running the server. Servers allowing peer authentication on
local connections are particularly vulnerable. Other attacks such
as SQL injection into a <filename>postgres_fdw</filename> session
are also possible.
Attacking <filename>postgres_fdw</filename> in this way requires the
ability to create a foreign server object with selected connection
parameters, but any user with access to <filename>dblink</filename>
could exploit the problem.
In general, an attacker with the ability to select the connection
parameters for a <application>libpq</application>-using application
could cause mischief, though other plausible attack scenarios are
harder to think of.
Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
</para>
</listitem>
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
...
...
This diff is collapsed.
Click to expand it.
doc/src/sgml/release-9.5.sgml
View file @
e0ee9305
...
...
@@ -33,6 +33,55 @@
<itemizedlist>
<listitem>
<para>
Fix failure to reset <application>libpq</application>'s state fully
between connection attempts (Tom Lane)
</para>
<para>
An unprivileged user of <filename>dblink</filename>
or <filename>postgres_fdw</filename> could bypass the checks intended
to prevent use of server-side credentials, such as
a <filename>~/.pgpass</filename> file owned by the operating-system
user running the server. Servers allowing peer authentication on
local connections are particularly vulnerable. Other attacks such
as SQL injection into a <filename>postgres_fdw</filename> session
are also possible.
Attacking <filename>postgres_fdw</filename> in this way requires the
ability to create a foreign server object with selected connection
parameters, but any user with access to <filename>dblink</filename>
could exploit the problem.
In general, an attacker with the ability to select the connection
parameters for a <application>libpq</application>-using application
could cause mischief, though other plausible attack scenarios are
harder to think of.
Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
</para>
</listitem>
<listitem>
<para>
Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
that isn't just <literal>SELECT * FROM ...</literal>
(Dean Rasheed, Amit Langote)
</para>
<para>
Erroneous expansion of an updatable view could lead to crashes
or <quote>attribute ... has the wrong type</quote> errors, if the
view's <literal>SELECT</literal> list doesn't match one-to-one with
the underlying table's columns.
Furthermore, this bug could be leveraged to allow updates of columns
that an attacking user lacks <literal>UPDATE</literal> privilege for,
if that user has <literal>INSERT</literal> and <literal>UPDATE</literal>
privileges for some other column(s) of the table.
Any user could also use it for disclosure of server memory.
(CVE-2018-10925)
</para>
</listitem>
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
...
...
@@ -140,21 +189,6 @@
</para>
</listitem>
<listitem>
<para>
Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
that isn't just <literal>SELECT * FROM ...</literal>
(Dean Rasheed, Amit Langote)
</para>
<para>
Erroneous expansion of an updatable view could lead to crashes
or <quote>attribute ... has the wrong type</quote> errors, if the
view's <literal>SELECT</literal> list doesn't match one-to-one with
the underlying table's columns.
</para>
</listitem>
<listitem>
<para>
Ensure a table's cached index list is correctly rebuilt after an index
...
...
This diff is collapsed.
Click to expand it.
doc/src/sgml/release-9.6.sgml
View file @
e0ee9305
...
...
@@ -33,6 +33,55 @@
<itemizedlist>
<listitem>
<para>
Fix failure to reset <application>libpq</application>'s state fully
between connection attempts (Tom Lane)
</para>
<para>
An unprivileged user of <filename>dblink</filename>
or <filename>postgres_fdw</filename> could bypass the checks intended
to prevent use of server-side credentials, such as
a <filename>~/.pgpass</filename> file owned by the operating-system
user running the server. Servers allowing peer authentication on
local connections are particularly vulnerable. Other attacks such
as SQL injection into a <filename>postgres_fdw</filename> session
are also possible.
Attacking <filename>postgres_fdw</filename> in this way requires the
ability to create a foreign server object with selected connection
parameters, but any user with access to <filename>dblink</filename>
could exploit the problem.
In general, an attacker with the ability to select the connection
parameters for a <application>libpq</application>-using application
could cause mischief, though other plausible attack scenarios are
harder to think of.
Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
</para>
</listitem>
<listitem>
<para>
Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
that isn't just <literal>SELECT * FROM ...</literal>
(Dean Rasheed, Amit Langote)
</para>
<para>
Erroneous expansion of an updatable view could lead to crashes
or <quote>attribute ... has the wrong type</quote> errors, if the
view's <literal>SELECT</literal> list doesn't match one-to-one with
the underlying table's columns.
Furthermore, this bug could be leveraged to allow updates of columns
that an attacking user lacks <literal>UPDATE</literal> privilege for,
if that user has <literal>INSERT</literal> and <literal>UPDATE</literal>
privileges for some other column(s) of the table.
Any user could also use it for disclosure of server memory.
(CVE-2018-10925)
</para>
</listitem>
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
...
...
@@ -140,21 +189,6 @@
</para>
</listitem>
<listitem>
<para>
Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
that isn't just <literal>SELECT * FROM ...</literal>
(Dean Rasheed, Amit Langote)
</para>
<para>
Erroneous expansion of an updatable view could lead to crashes
or <quote>attribute ... has the wrong type</quote> errors, if the
view's <literal>SELECT</literal> list doesn't match one-to-one with
the underlying table's columns.
</para>
</listitem>
<listitem>
<para>
Ensure a table's cached index list is correctly rebuilt after an index
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment