193 lines
8.7 KiB
JSON
193 lines
8.7 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20191785",
|
||
"Version": "oval:org.altlinux.errata:def:20191785",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2019-1785: package `postgresql11` update to version 11.3-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch p9"
|
||
],
|
||
"Products": [
|
||
"ALT Server",
|
||
"ALT Virtualization Server",
|
||
"ALT Workstation",
|
||
"ALT Workstation K",
|
||
"ALT Education",
|
||
"Simply Linux",
|
||
"Starterkit"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2019-1785",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2019-1785",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2019-02122",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2019-02122",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2019-04641",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2019-04641",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-10129",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-10129",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-10130",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-10130",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-9193",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-9193",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades postgresql11 to version 11.3-alt1. \nSecurity Fix(es):\n\n * BDU:2019-02122: Уязвимость инсталлятора BigSQL системы управления базами данных PostgreSQL, позволяющая нарушителю прочитать произвольные области памяти серверного процесса\n\n * BDU:2019-04641: Уязвимость системы управления базами данных PostgreSQL, связанная с некорректным контролем доступа, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * CVE-2019-10129: A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any user can create a partitioned table suitable for this attack. (Exploit prerequisites are the same as for CVE-2018-1052).\n\n * CVE-2019-10130: A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.\n\n * CVE-2019-9193: In PostgreSQL 9.3 through 11.2, the \"COPY TO/FROM PROGRAM\" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2019-05-09"
|
||
},
|
||
"Updated": {
|
||
"Date": "2019-05-09"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2019-02122",
|
||
"CVSS": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-200",
|
||
"Href": "https://bdu.fstec.ru/vul/2019-02122",
|
||
"Impact": "High",
|
||
"Public": "20190509"
|
||
},
|
||
{
|
||
"ID": "BDU:2019-04641",
|
||
"CVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-284",
|
||
"Href": "https://bdu.fstec.ru/vul/2019-04641",
|
||
"Impact": "Low",
|
||
"Public": "20190730"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2019-10129",
|
||
"CVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-10129",
|
||
"Impact": "Low",
|
||
"Public": "20190730"
|
||
},
|
||
{
|
||
"ID": "CVE-2019-10130",
|
||
"CVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-284",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-10130",
|
||
"Impact": "Low",
|
||
"Public": "20190730"
|
||
},
|
||
{
|
||
"ID": "CVE-2019-9193",
|
||
"CVSS": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
|
||
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-78",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-9193",
|
||
"Impact": "High",
|
||
"Public": "20190401"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:kworkstation:9",
|
||
"cpe:/o:alt:workstation:9",
|
||
"cpe:/o:alt:server:9",
|
||
"cpe:/o:alt:server-v:9",
|
||
"cpe:/o:alt:education:9",
|
||
"cpe:/o:alt:slinux:9",
|
||
"cpe:/o:alt:starterkit:p9"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:1001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785001",
|
||
"Comment": "libecpg6 is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785002",
|
||
"Comment": "libpq5 is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785003",
|
||
"Comment": "postgresql-devel is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785004",
|
||
"Comment": "postgresql-devel-static is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785005",
|
||
"Comment": "postgresql11 is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785006",
|
||
"Comment": "postgresql11-contrib is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785007",
|
||
"Comment": "postgresql11-docs is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785008",
|
||
"Comment": "postgresql11-perl is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785009",
|
||
"Comment": "postgresql11-python is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785010",
|
||
"Comment": "postgresql11-server is earlier than 0:11.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191785011",
|
||
"Comment": "postgresql11-tcl is earlier than 0:11.3-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |