PostgreSQL 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 and 12 Beta 3 release

News 2019-08-09 12:39:04 views: null

PostgreSQL recently released for each supported version of the update, including PostgreSQL 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 and 12 Beta 3, this version fixes two security issues PostgreSQL server, a two security issues PostgreSQL Windows installer found, and more than 40 bug since the last published report.

safe question

This version has closed four security holes:

  • CVE-2019-10208: type in the pg_temp SECURITY DEFINER to execute arbitrary SQL during execution

Affected Version: 9.4 --11

Given the appropriate   SECURITY DEFINER function, an attacker can execute arbitrary SQL function under the identity of the owner. Attack requires EXECUTE permission to function, the function itself must contain inaccurate function parameters match the type of call. For example, length ( 'foo' :: varchar ) and length ( 'foo') is inaccurate, and the length ( 'foo' :: text) is accurate.

  • CVE-2019-10209: hash sub-program a memory leak in the cross-type comparison

Affected versions: 11

Equal operator comprising hypothetical user-defined database hash, an attacker can read any byte in server memory.

  • CVE-2019-10210: EnterpriseDB Windows Setup will PostgreSQL superuser password written unprotected temporary files

 Affected Version: 9.4-11 version of EnterpriseDB Windows Installer

EnterpriseDB Windows Installer password will write temporary files that the installation directory, create the initial database and delete the file. During this time, when the file exists, a local attacker can read the PostgreSQL superuser password from the file.

  • CVE-2019-10211: EnterpriseDB Windows installation program from the directory unprotected code execution

 Affected Version: 9.4-11 version of EnterpriseDB Windows Installer

When the database server or client library initialization libpq SSL, libeay32.dll read from a hard coded configuration directory. Although the directory does not exist, but any user can create a local directory and injection configuration. This configuration may indicate OpenSSL load and execute arbitrary code when running PostgreSQL server or client. Most PostgreSQL client tools and libraries use libpq, by using any one of them can encounter this vulnerability.

In addition, PostgreSQL 9.4 will be held February 13 2020 to stop receiving fixes.

Also includes other bug fixes, as detailed:

https://www.postgresql.org/about/news/1960/

Download:
https://www.postgresql.org/download/

Guess you like

Origin www.oschina.net/news/108907/postgresql-11-5-10-10-9-6-15-9-5-19-9-4-24-12-beta-3
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com