Notable from the release announcement for those not reading the article:
CVE-2018-10915: Certain host connection parameters defeat client-side
security defenses
libpq, the client connection API for PostgreSQL that is also used by other
connection libraries, had an internal issue where it did not reset all of its
connection state variables when attempting to reconnect. In particular, the
state variable that determined whether or not a password is needed for a
connection would not be reset, which could allow users of features requiring
libpq, such as the “dblink” or “postgres_fdw” extensions, to login to servers
they should not be able to access.
You can check if your database has either extension installed by running the
following from your PostgreSQL shell:
\dx dblink|postgres_fdw
Users are advised to upgrade their libpq installations as soon as possible.
The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting
this problem.
CVE-2018-10925:
Memory disclosure and missing authorization in INSERT ... ON CONFLICT DO UPDATE
An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory
using an upsert (INSERT ... ON CONFLICT DO UPDATE) query. By default, any
user can exploit that. A user that has specific INSERT privileges and an UPDATE
privilege on at least one column in a given table can also update other columns
using a view and an upsert query.
Notable from the release announcement for those not reading the article:
libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the “dblink” or “postgres_fdw” extensions, to login to servers they should not be able to access.
You can check if your database has either extension installed by running the following from your PostgreSQL shell:
\dx dblink|postgres_fdwUsers are advised to upgrade their libpq installations as soon as possible.
The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting this problem.
INSERT ... ON CONFLICT DO UPDATEAn attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (
INSERT ... ON CONFLICT DO UPDATE) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.