PostgreSQL recently released for each supported version of the update, including PostgreSQL 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 and 12 Beta 3, this version fixes two security issues PostgreSQL server, a two security issues PostgreSQL Windows installer found, and more than 40 bug since the last published report.
safe question
This version has closed four security holes:
-
CVE-2019-10208: type in the pg_temp
SECURITY DEFINER
to execute arbitrary SQL during execution
Affected Version: 9.4 --11
Given the appropriate SECURITY DEFINER
function, an attacker can execute arbitrary SQL function under the identity of the owner. Attack requires EXECUTE permission to function, the function itself must contain inaccurate function parameters match the type of call. For example, length ( 'foo' :: varchar ) and length ( 'foo') is inaccurate, and the length ( 'foo' :: text) is accurate.
-
CVE-2019-10209: hash sub-program a memory leak in the cross-type comparison
Affected versions: 11
Equal operator comprising hypothetical user-defined database hash, an attacker can read any byte in server memory.
-
CVE-2019-10210: EnterpriseDB Windows Setup will PostgreSQL superuser password written unprotected temporary files
Affected Version: 9.4-11 version of EnterpriseDB Windows Installer
EnterpriseDB Windows Installer password will write temporary files that the installation directory, create the initial database and delete the file. During this time, when the file exists, a local attacker can read the PostgreSQL superuser password from the file.
-
CVE-2019-10211: EnterpriseDB Windows installation program from the directory unprotected code execution
Affected Version: 9.4-11 version of EnterpriseDB Windows Installer
When the database server or client library initialization libpq SSL, libeay32.dll read from a hard coded configuration directory. Although the directory does not exist, but any user can create a local directory and injection configuration. This configuration may indicate OpenSSL load and execute arbitrary code when running PostgreSQL server or client. Most PostgreSQL client tools and libraries use libpq, by using any one of them can encounter this vulnerability.
In addition, PostgreSQL 9.4 will be held February 13 2020 to stop receiving fixes.
Also includes other bug fixes, as detailed:
https://www.postgresql.org/about/news/1960/
Download:
https://www.postgresql.org/download/