Bugzilla – Bug 1104199
VUL-0: CVE-2018-10915: postgresql94,postgresql96,postgresql10: Fix failure to reset libpq's state fully between connection attempts
Last modified: 2020-08-17 16:17:34 UTC
CVE-2018-10915 https://borka.postgresql.org/staging/3ff314b316b0edaa589a7e237f9588e66942cf7e/ Fix failure to reset libpq's state fully between connection attempts An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915)
CRD: 2018-08-09
is public https://www.postgresql.org/about/news/1878/ CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the dblink or postgres_fdw extensions, to login to servers they should not be able to access. You can check if your database has either extension installed by running the following from your PostgreSQL shell: \dx dblink|postgres_fdw Users are advised to upgrade their libpq installations as soon as possible. The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting this problem.
This is an autogenerated message for OBS integration: This bug (1104199) was mentioned in https://build.opensuse.org/request/show/628665 Factory / postgresql10 https://build.opensuse.org/request/show/628666 Factory / postgresql96 https://build.opensuse.org/request/show/628667 Factory / postgresql95 https://build.opensuse.org/request/show/628668 Factory / postgresql94 https://build.opensuse.org/request/show/628669 Factory / postgresql93
SUSE-SU-2018:2564-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1091610,1104199,1104202 CVE References: CVE-2018-10915,CVE-2018-10925,CVE-2018-1115 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): postgresql10-10.5-4.5.1 SUSE Linux Enterprise Module for Basesystem 15 (src): postgresql10-10.5-4.5.1
openSUSE-SU-2018:2599-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1091610,1104199,1104202 CVE References: CVE-2018-10915,CVE-2018-10925,CVE-2018-1115 Sources used: openSUSE Leap 15.0 (src): postgresql10-10.5-lp150.3.3.1
SUSE-SU-2018:3287-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1104199 CVE References: CVE-2018-10915 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): postgresql94-libs-9.4.19-0.23.19.1 SUSE Linux Enterprise Server 11-SP4 (src): postgresql94-9.4.19-0.23.19.1, postgresql94-libs-9.4.19-0.23.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): postgresql94-9.4.19-0.23.19.1, postgresql94-libs-9.4.19-0.23.19.1
SUSE-SU-2018:3377-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1104199,1104202 CVE References: CVE-2018-10915,CVE-2018-10925 Sources used: SUSE OpenStack Cloud 7 (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Server 12-SP3 (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Server 12-LTSS (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Linux Enterprise Desktop 12-SP3 (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1 SUSE Enterprise Storage 4 (src): postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
openSUSE-SU-2018:3449-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1104199,1104202 CVE References: CVE-2018-10915,CVE-2018-10925 Sources used: openSUSE Leap 42.3 (src): postgresql96-9.6.10-21.1, postgresql96-libs-9.6.10-21.1
SUSE-SU-2018:3909-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1104199 CVE References: CVE-2018-10915 Sources used: SUSE OpenStack Cloud 7 (src): postgresql94-9.4.19-21.22.7 SUSE Linux Enterprise Server for SAP 12-SP2 (src): postgresql94-9.4.19-21.22.7 SUSE Linux Enterprise Server for SAP 12-SP1 (src): postgresql94-9.4.19-21.22.7 SUSE Linux Enterprise Server 12-SP2-LTSS (src): postgresql94-9.4.19-21.22.7 SUSE Linux Enterprise Server 12-SP1-LTSS (src): postgresql94-9.4.19-21.22.7 SUSE Linux Enterprise Server 12-LTSS (src): postgresql94-9.4.19-21.22.7 SUSE Enterprise Storage 4 (src): postgresql94-9.4.19-21.22.7
was fixed in initial 10.5 shipment of postgresql10.
openSUSE-SU-2018:4007-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1104199 CVE References: CVE-2018-10915 Sources used: openSUSE Leap 42.3 (src): postgresql94-9.4.19-24.1, postgresql94-libs-9.4.19-24.1
This is an autogenerated message for OBS integration: This bug (1104199) was mentioned in https://build.opensuse.org/request/show/679960 Factory / postgresql10
This is an autogenerated message for OBS integration: This bug (1104199) was mentioned in https://build.opensuse.org/request/show/826617 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / postgresql96
openSUSE-SU-2020:1227-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1091610,1104199,1104202,1134689,1145092,1148643,1163985,1171924,1175194 CVE References: CVE-2018-10915,CVE-2018-10925,CVE-2018-1115,CVE-2019-10130,CVE-2019-10208,CVE-2020-14350,CVE-2020-1720 JIRA References: Sources used: openSUSE Leap 15.1 (src): postgresql-12.0.1-lp151.6.9.1, postgresql10-10.13-lp151.2.14.1, postgresql12-12.3-lp151.2.1, postgresql96-9.6.19-lp151.3.3.1