This bug was fixed in the package postgresql-9.3 - 9.3.24-0ubuntu0.14.04 --------------- postgresql-9.3 (9.3.24-0ubuntu0.14.04) trusty-security; urgency=medium
* New upstream release (LP: #1786938) - Fix failure to reset libpq's state fully between connection attempts . An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915) - d/libecpg-dev.install: Add new pgtypes header. - d/libpgtypes3.symbols: Add new pgtypes symbol. - Details about these and other changes can be found at https://www.postgresql.org/docs/9.3/static/release-9-3-24.html -- Christian Ehrhardt <christian.ehrha...@canonical.com> Tue, 14 Aug 2018 14:49:12 +0200 ** Changed in: postgresql-9.3 (Ubuntu Trusty) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10915 ** Changed in: postgresql-9.5 (Ubuntu Xenial) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10925 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1786938 Title: New upstream microreleases 9.3.24, 9.5.14, and 10.5 Status in postgresql-10 package in Ubuntu: Fix Released Status in postgresql-9.3 package in Ubuntu: Invalid Status in postgresql-9.5 package in Ubuntu: Invalid Status in postgresql-9.3 source package in Trusty: Fix Released Status in postgresql-9.5 source package in Xenial: Fix Released Status in postgresql-10 source package in Bionic: Fix Released Status in postgresql-10 source package in Cosmic: Fix Released Bug description: Postgresql stable update Current versions in supported releases: postgresql-9.3 | 9.3.23-0ubuntu0.14.04 trusty postgresql-9.5 | 9.5.13-0ubuntu0.16.04 xenial postgresql-10 | 10.4-0ubuntu0.18.04 bionic postgresql-10 | 10.5-1 cosmic Special cases: - Cosmic is already synced from Debians upload - This is again a security update, so we prep and security will eval and publish through -security Last related stable updates: 9.3.24, 9.5.14444, 10.5 So the todo is to pick: MRE: Trusty 9.3.24 from https://ftp.postgresql.org/pub/source/v9.3.24/postgresql-9.3.24.tar.gz MRE: Xenial 9.5.14 from https://ftp.postgresql.org/pub/source/v9.5.14/postgresql-9.5.14.tar.gz MRE: Bionic 10.5 from https://ftp.postgresql.org/pub/source/v10.5/postgresql-10.5.tar.gz Standing MRE - Consider last updates as template: - pad.lv/1637236 - pad.lv/1664478 - pad.lv/1690730 - pad.lv/1713979 - pad.lv/1730661 - pad.lv/1747676 - pad.lv/1752271 New - this bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postgresql-10/+bug/1786938/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp