Ubuntu update for PostgreSQL

Published: 2019-05-15 22:48:15 | Updated: 2019-05-15
Severity Low
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2019-10129
CVE-2019-10130
CVSSv3 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-401
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software postgresql-10 (Ubuntu package)
postgresql-9.5 (Ubuntu package)
Vulnerable software versions postgresql-10 (Ubuntu package) 10.7-0ubuntu0.18.10.1
postgresql-10 (Ubuntu package) 10.7-0ubuntu0.18.04.1
postgresql-10 (Ubuntu package) 10.6-0ubuntu0.18.10.1
postgresql-10 (Ubuntu package) 10.6-0ubuntu0.18.04.1
postgresql-9.5 (Ubuntu package) 9.5.16-0ubuntu0.16.04.1
postgresql-9.5 (Ubuntu package) 9.5.8-0ubuntu0.16.04.1
Vendor URL Canonical Ltd.

Security Advisory

1) Memory leak

Description

The vulnerability allows a remote attacker to read parts of system memory.

The vulnerability exists due memory leak when processing INSERT queries. A remote authenticated user can execute a specially crafted INSERT statement to a partitioned table and read parts of memory.

Remediation

Update the affected packages.

Ubuntu 19.04
postgresql-11 - 11.3-0ubuntu0.19.04.1
Ubuntu 18.10
postgresql-10 - 10.8-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
postgresql-10 - 10.8-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
postgresql-9.5 - 9.5.17-0ubuntu0.16.04.1

External links

https://usn.ubuntu.com/3972-1/

2) Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect implementation of row security policies. A remote attacker can use statistics, generated for tables to bypass row security policies and gain access to restricted rows.

Remediation

Update the affected packages.

Ubuntu 19.04
postgresql-11 - 11.3-0ubuntu0.19.04.1
Ubuntu 18.10
postgresql-10 - 10.8-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
postgresql-10 - 10.8-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
postgresql-9.5 - 9.5.17-0ubuntu0.16.04.1

External links

https://usn.ubuntu.com/3972-1/

Back to List