1. 12
  1.  

  2. 8

    Notable from the release announcement for those not reading the article:

    • CVE-2018-10915: Certain host connection parameters defeat client-side security defenses

    libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the “dblink” or “postgres_fdw” extensions, to login to servers they should not be able to access.

    You can check if your database has either extension installed by running the following from your PostgreSQL shell:

    \dx dblink|postgres_fdw

    Users are advised to upgrade their libpq installations as soon as possible.

    The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting this problem.

    • CVE-2018-10925: Memory disclosure and missing authorization in INSERT ... ON CONFLICT DO UPDATE

    An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (INSERT ... ON CONFLICT DO UPDATE) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.