SB2019080921 - Fedora 30 update for libpq, postgresql
Published: August 9, 2019 Updated: April 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-10208)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to way PostreSQL processes SECURITY DEFINER functions. A privileged attacker with EXECUTE permission, which must itself contain a function call having inexact argument type match, can execute arbitrary SQL query under the identity of the function owner.
2) Information disclosure (CVE-ID: CVE-2019-10209)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to way PostgreSQL processes user-defined hash equality operators. A remote attacker can under certain circumstances read arbitrary bytes from server memory.
Note, exploitation of this vulnerability requires a superuser to create unusual operators.
3) Untrusted search path (CVE-ID: CVE-2019-10211)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to EnterpriseDB Windows installer bundles an OpenSSL library that tries to load configuration from a hard-coded location on the system. This location usually does not exists, therefore an attacker can create a folder, place malicious configuration file in it and execute the configuration.
Remediation
Install update from vendor's website.