aboutsummaryrefslogtreecommitdiff
path: root/databases/pear-MDB
diff options
context:
space:
mode:
authorPalle Girgensohn <girgen@FreeBSD.org>2020-08-13 13:45:02 +0000
committerPalle Girgensohn <girgen@FreeBSD.org>2020-08-13 13:45:02 +0000
commitc181e5cbd7b38d4c01a7bb7360c293e5cd8f2a5b (patch)
tree0da445871731bbf404a2ed91a42e3f1fad095800 /databases/pear-MDB
parent6928fda4df3b2851fafd30ddb77fd84af308d1d0 (diff)
downloadports-c181e5cbd7b38d4c01a7bb7360c293e5cd8f2a5b.tar.gz
ports-c181e5cbd7b38d4c01a7bb7360c293e5cd8f2a5b.zip
The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 12.4, 11.9, 10.14, 9.6.19, and 9.5.23. This release closes two security vulnerabilities and fixes over 50 bugs reported over the last three months. Please plan to update at your earliest convenience. Security Issues --------------- * CVE-2020-14349: Uncontrolled search path element in logical replication. Versions Affected: 10 - 12. The PostgreSQL `search_path` setting determines schemas searched for tables, functions, operators, etc. The CVE-2018-1058 fix caused most PostgreSQL-provided client applications to sanitize `search_path`, but logical replication continued to leave `search_path` unchanged. Users of a replication publisher or subscriber database can create objects in the `public` schema and harness them to execute arbitrary SQL functions under the identity running replication, often a superuser. Installations having adopted a documented secure schema usage pattern are not vulnerable. The PostgreSQL project thanks Noah Misch for reporting this problem. * CVE-2020-14350: Uncontrolled search path element in `CREATE EXTENSION`. Versions Affected: 9.5 - 12. The security team typically does not test unsupported versions, but this problem is quite old. When a superuser runs certain `CREATE EXTENSION` statements, users may be able to execute arbitrary SQL functions under the identity of that superuser. The attacker must have permission to create objects in the new extension's schema or a schema of a prerequisite extension. Not all extensions are vulnerable. In addition to correcting the extensions provided with PostgreSQL, the PostgreSQL Global Development Group is issuing guidance for third-party extension authors to secure their own work. The PostgreSQL project thanks Andres Freund for reporting this problem. Security: CVE-2020-14349, CVE-2020-14350
Notes
Notes: svn path=/head/; revision=544810
Diffstat (limited to 'databases/pear-MDB')
0 files changed, 0 insertions, 0 deletions