Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4335 postgresql-common security update 15 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: postgresql-common Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-3466 Original Bulletin: http://www.debian.org/security/2019/dsa-4568 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running postgresql-common check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4568-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 14, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : postgresql-common CVE ID : CVE-2019-3466 Rich Mirch discovered that the pg_ctlcluster script didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. For the oldstable distribution (stretch), this problem has been fixed in version 181+deb9u3. For the stable distribution (buster), this problem has been fixed in version 200+deb10u3. We recommend that you upgrade your postgresql-common packages. For the detailed security status of postgresql-common please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-common Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3Nxw8ACgkQEMKTtsN8 TjZLpg/7BYZxfcxlC7pD5xDeCuibl8fmqOQo7+fT5LJnnnaGVroy9B4bGf9MaIgx 9aHis3FofPc0I2OQV9S+XaaPvcggrFO9TlmErJaLXRqxjAFjalOxC1jsWu1J0rhz HV4ZrOUfkE06AuDcVjVfI7u8W+R+xuYkqIlFhirZ4xGGBUtrZXQOTNgBaZmqrlEX VBnd22L/dxIVeWF2hFU94WldY5Ywx6ouy1gxAT7KiC6JTqjDOqbyVaX10Ivw8i5w S7+AEDssIkkuoOyNeRtULBT3ghXIskBPlKLI0tafQnp4Yrvhz/CRqlEmqA5Frfdw 82d+bmmMQv0wNN6j742IpTn6Xz9NiSRlLTG098HPv5eQ6aPvCNPx+BRYrFHtfeWh cV73TkpeX6Hsyxnb1srP5Yy76oxK8milRcNDbkh3zN7q2pnCVL9F1Hco0UxcqY7D yw8c+c0xJClUKJScSFO+fpA4XyE3M0YPkGz6tms3ham7pGE7tkPfcWKKTvs4qWB6 VObGlINKnTvGvlodTTUWmoLHZEmiUX5wOThHbXBoPbE1P20dJL+6xWIy6T7Zq7xp YWWBSFnwBiEL4v1CuKH/JZEabHqeXLtOKEA2qZNlmL0DX71vDOYsFIHUFjZB/SP1 vl61tjilvFHM8uvWx5CATWQnz0ajMtkoAC76X4mNJxc8jM6pKNY= =HLzY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXc4sBGaOgq3Tt24GAQi1RBAAtcLYNOb2Pkl+zu3pbwf0ca6/c9YsJrAP 2HSF6FzoXXCcnMy55Qtuc2tjCEKXUY9sAKDdUOp0bYFG3QxGqDbGhYaq9oooYohB 5bBht7ZmwSCNgRKCDapNloCd+NWM5V2U9kj6bYiZp/2ZG8PxpzQqyw1esMU7Y49p 38AjY7kaPJIsoDeKUovFi6UR7gkNlhXon+jTLN7uN+OAuCtEpNrGGO/0LalbKN3m VMC4tpn2CwPB+7CIBPwMpUobUFor7/Ltsm1jXR0qlzEE4+YZwiFitDDPGJaPLWu4 3152jU13PzE1i/xAqSJWSTn+Ge/UZ0MsFejcnFjvjf77tXdA4qEW5GWi1NOTed2E HcnGE1qamDcJ+PzCRMRoPqB+59HmZMp+e1PtWG1CUaic8AiCImveNMqlN3RxLPOJ m7O/5/WH56Ab0V41do01jri/d54ZDQo7LmGIWfoxbwnJiLaDqGN8+CTi0sioLYk+ UA/4vJv/Sb/odT6YjPHWbjVLR6tO0lD/gJqTEW9Sy0fM1xHVlxkltvLpij/dThlo jcYsyLsj4dt7SYuDLHeev/03HgMEOP/zKnS0PC1ZViNhnkdr7Kj3Smr5kAhlNZ+S 1cYzI5y0jJ5MihJ+fYUviFG+kW4+Z2ZRV+XZXsxTdy1HXTh6Ul+MaWubLWnHbrjw McfoZW75J2s= =nd+P -----END PGP SIGNATURE-----