{"id":"MGASA-2018-0446","summary":"Updated postgresql9.4|6 packages fix security vulnerabilities","details":"A flaw was found in the way Postgresql allowed a user to modify the\nbehavior of a query for other users. An attacker with a user account\ncould use this flaw to execute code with the permissions of superuser in\nthe database (CVE-2018-1058).\n\nPostgresql 9.6.x before 9.6.9 is vulnerable in the adminpack extension,\nthe pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs\nthan pg_rorate_logfile. If the adminpack is added to a database, an\nattacker able to connect to it could exploit this to force log rotation\n(CVE-2018-1115).\n\nAndrew Krasichkov discovered that libpq did not reset all its connection\nstate during reconnects (CVE-2018-10915).\n\nIt was discovered that some \"CREATE TABLE\" statements could disclose\nserver memory (CVE-2018-10925).\n\nFully fixing these security issues requires manual intervention.  See\nthe upstream advisories for details.\n","modified":"2026-04-16T01:48:35.249998321Z","published":"2018-11-15T22:04:32Z","upstream":["CVE-2018-1058","CVE-2018-10915","CVE-2018-10925","CVE-2018-1115"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0446.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22687"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.4/static/release-9-4-17.html"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.4/static/release-9-4-18.html"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.4/static/release-9-4-19.html"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.6/static/release-9-6-8.html"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.6/static/release-9-6-9.html"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.6/static/release-9-6-10.html"},{"type":"WEB","url":"https://www.postgresql.org/about/news/1834/"},{"type":"WEB","url":"https://www.postgresql.org/about/news/1851/"},{"type":"WEB","url":"https://www.postgresql.org/about/news/1878/"},{"type":"WEB","url":"https://www.debian.org/security/2018/dsa-4269"}],"affected":[{"package":{"name":"postgresql9.4","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/postgresql9.4?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.4.19-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0446.json"}},{"package":{"name":"postgresql9.6","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/postgresql9.6?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.6.10-3.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0446.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}