Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4335
postgresql-common security update
15 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: postgresql-common
Publisher: Debian
Operating System: Debian GNU/Linux 9
Debian GNU/Linux 10
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-3466
Original Bulletin:
http://www.debian.org/security/2019/dsa-4568
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running postgresql-common check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4568-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 14, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : postgresql-common
CVE ID : CVE-2019-3466
Rich Mirch discovered that the pg_ctlcluster script didn't drop
privileges when creating socket/statistics temporary directories, which
could result in local privilege escalation.
For the oldstable distribution (stretch), this problem has been fixed
in version 181+deb9u3.
For the stable distribution (buster), this problem has been fixed in
version 200+deb10u3.
We recommend that you upgrade your postgresql-common packages.
For the detailed security status of postgresql-common please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-common
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3Nxw8ACgkQEMKTtsN8
TjZLpg/7BYZxfcxlC7pD5xDeCuibl8fmqOQo7+fT5LJnnnaGVroy9B4bGf9MaIgx
9aHis3FofPc0I2OQV9S+XaaPvcggrFO9TlmErJaLXRqxjAFjalOxC1jsWu1J0rhz
HV4ZrOUfkE06AuDcVjVfI7u8W+R+xuYkqIlFhirZ4xGGBUtrZXQOTNgBaZmqrlEX
VBnd22L/dxIVeWF2hFU94WldY5Ywx6ouy1gxAT7KiC6JTqjDOqbyVaX10Ivw8i5w
S7+AEDssIkkuoOyNeRtULBT3ghXIskBPlKLI0tafQnp4Yrvhz/CRqlEmqA5Frfdw
82d+bmmMQv0wNN6j742IpTn6Xz9NiSRlLTG098HPv5eQ6aPvCNPx+BRYrFHtfeWh
cV73TkpeX6Hsyxnb1srP5Yy76oxK8milRcNDbkh3zN7q2pnCVL9F1Hco0UxcqY7D
yw8c+c0xJClUKJScSFO+fpA4XyE3M0YPkGz6tms3ham7pGE7tkPfcWKKTvs4qWB6
VObGlINKnTvGvlodTTUWmoLHZEmiUX5wOThHbXBoPbE1P20dJL+6xWIy6T7Zq7xp
YWWBSFnwBiEL4v1CuKH/JZEabHqeXLtOKEA2qZNlmL0DX71vDOYsFIHUFjZB/SP1
vl61tjilvFHM8uvWx5CATWQnz0ajMtkoAC76X4mNJxc8jM6pKNY=
=HLzY
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXc4sBGaOgq3Tt24GAQi1RBAAtcLYNOb2Pkl+zu3pbwf0ca6/c9YsJrAP
2HSF6FzoXXCcnMy55Qtuc2tjCEKXUY9sAKDdUOp0bYFG3QxGqDbGhYaq9oooYohB
5bBht7ZmwSCNgRKCDapNloCd+NWM5V2U9kj6bYiZp/2ZG8PxpzQqyw1esMU7Y49p
38AjY7kaPJIsoDeKUovFi6UR7gkNlhXon+jTLN7uN+OAuCtEpNrGGO/0LalbKN3m
VMC4tpn2CwPB+7CIBPwMpUobUFor7/Ltsm1jXR0qlzEE4+YZwiFitDDPGJaPLWu4
3152jU13PzE1i/xAqSJWSTn+Ge/UZ0MsFejcnFjvjf77tXdA4qEW5GWi1NOTed2E
HcnGE1qamDcJ+PzCRMRoPqB+59HmZMp+e1PtWG1CUaic8AiCImveNMqlN3RxLPOJ
m7O/5/WH56Ab0V41do01jri/d54ZDQo7LmGIWfoxbwnJiLaDqGN8+CTi0sioLYk+
UA/4vJv/Sb/odT6YjPHWbjVLR6tO0lD/gJqTEW9Sy0fM1xHVlxkltvLpij/dThlo
jcYsyLsj4dt7SYuDLHeev/03HgMEOP/zKnS0PC1ZViNhnkdr7Kj3Smr5kAhlNZ+S
1cYzI5y0jJ5MihJ+fYUviFG+kW4+Z2ZRV+XZXsxTdy1HXTh6Ul+MaWubLWnHbrjw
McfoZW75J2s=
=nd+P
-----END PGP SIGNATURE-----