FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-16 08:18:40 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
96eab874-9c79-11e8-b34b-6cc21735f730	PostgreSQL -- two vulnerabilities The PostgreSQL project reports: CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the "dblink" or "postgres_fdw" extensions, to login to servers they should not be able to access. CVE-2018-10925: Memory disclosure and missing authorization in `INSERT ... ON CONFLICT DO UPDATE` An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query. Discovery 2018-08-09 Entry 2018-08-10 postgresql10-server < 10.5 postgresql96-server < 9.6.10 postgresql95-server < 9.5.14 postgresql94-server < 9.4.19 postgresql93-server < 9.3.24 https://www.postgresql.org/about/news/1878/ CVE-2018-10915 CVE-2018-10925
1c27a706-e3aa-11e8-b77a-6cc21735f730	PostgreSQL -- SQL injection in pg_upgrade and pg_dump The PostgreSQL project reports: CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema. Discovery 2018-11-08 Entry 2018-11-08 postgresql10-server < 10.6 postgresql96-server < 9.6.11 postgresql95-server < 9.5.15 postgresql94-server < 9.4.20 postgresql93-server < 9.3.25 https://www.postgresql.org/about/news/1905/ CVE-2018-16850

VuXML ID

Description

96eab874-9c79-11e8-b34b-6cc21735f730

PostgreSQL -- two vulnerabilities

The PostgreSQL project reports:

CVE-2018-10915: Certain host connection parameters defeat client-side security defenses

libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the "dblink" or "postgres_fdw" extensions, to login to servers they should not be able to access.

CVE-2018-10925: Memory disclosure and missing authorization in `INSERT ... ON CONFLICT DO UPDATE`

An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.

Discovery 2018-08-09
Entry 2018-08-10
postgresql10-server

< 10.5

postgresql96-server

< 9.6.10

postgresql95-server

< 9.5.14

postgresql94-server

< 9.4.19

postgresql93-server

< 9.3.24

https://www.postgresql.org/about/news/1878/
CVE-2018-10915
CVE-2018-10925

1c27a706-e3aa-11e8-b77a-6cc21735f730

PostgreSQL -- SQL injection in pg_upgrade and pg_dump

The PostgreSQL project reports:

CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING.

Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.

Discovery 2018-11-08
Entry 2018-11-08
postgresql10-server

< 10.6

postgresql96-server

< 9.6.11

postgresql95-server

< 9.5.15

postgresql94-server

< 9.4.20

postgresql93-server

< 9.3.25

https://www.postgresql.org/about/news/1905/
CVE-2018-16850