This bug was fixed in the package postgresql-9.3 - 9.3.24-0ubuntu0.14.04
---------------
postgresql-9.3 (9.3.24-0ubuntu0.14.04) trusty-security; urgency=medium
* New upstream release (LP: #1786938)
- Fix failure to reset libpq's state fully between connection attempts
.
An unprivileged user of dblink or postgres_fdw could bypass the checks
intended to prevent use of server-side credentials, such as a ~/.pgpass
file owned by the operating-system user running the server. Servers
allowing peer authentication on local connections are particularly
vulnerable. Other attacks such as SQL injection into a postgres_fdw
session are also possible. Attacking postgres_fdw in this way requires
the ability to create a foreign server object with selected connection
parameters, but any user with access to dblink could exploit the
problem. In general, an attacker with the ability to select the
connection parameters for a libpq-using application could cause
mischief, though other plausible attack scenarios are harder to think
of. Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
- d/libecpg-dev.install: Add new pgtypes header.
- d/libpgtypes3.symbols: Add new pgtypes symbol.
- Details about these and other changes can be found at
https://www.postgresql.org/docs/9.3/static/release-9-3-24.html
-- Christian Ehrhardt <christian.ehrha...@canonical.com> Tue, 14 Aug
2018 14:49:12 +0200
** Changed in: postgresql-9.3 (Ubuntu Trusty)
Status: Triaged => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10915
** Changed in: postgresql-9.5 (Ubuntu Xenial)
Status: Triaged => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10925
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1786938
Title:
New upstream microreleases 9.3.24, 9.5.14, and 10.5
Status in postgresql-10 package in Ubuntu:
Fix Released
Status in postgresql-9.3 package in Ubuntu:
Invalid
Status in postgresql-9.5 package in Ubuntu:
Invalid
Status in postgresql-9.3 source package in Trusty:
Fix Released
Status in postgresql-9.5 source package in Xenial:
Fix Released
Status in postgresql-10 source package in Bionic:
Fix Released
Status in postgresql-10 source package in Cosmic:
Fix Released
Bug description:
Postgresql stable update
Current versions in supported releases:
postgresql-9.3 | 9.3.23-0ubuntu0.14.04 trusty
postgresql-9.5 | 9.5.13-0ubuntu0.16.04 xenial
postgresql-10 | 10.4-0ubuntu0.18.04 bionic
postgresql-10 | 10.5-1 cosmic
Special cases:
- Cosmic is already synced from Debians upload
- This is again a security update, so we prep and security will eval and
publish through -security
Last related stable updates: 9.3.24, 9.5.14444, 10.5
So the todo is to pick:
MRE: Trusty 9.3.24 from
https://ftp.postgresql.org/pub/source/v9.3.24/postgresql-9.3.24.tar.gz
MRE: Xenial 9.5.14 from
https://ftp.postgresql.org/pub/source/v9.5.14/postgresql-9.5.14.tar.gz
MRE: Bionic 10.5 from
https://ftp.postgresql.org/pub/source/v10.5/postgresql-10.5.tar.gz
Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676
- pad.lv/1752271
New - this bug
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-10/+bug/1786938/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
