CVE-2017-8806

Priority
Medium
Description
The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts,
as distributed in the Debian postgresql-common package before 181+deb9u1
for PostgreSQL (and other packages related to Debian and Ubuntu), handled
symbolic links insecurely, which could result in local denial of service by
overwriting arbitrary files.
References
Bugs
Notes
 mdeslaur> PostgreSQL will use CVE-2017-12172 for contrib/start-scripts
 mdeslaur> This is related to CVE-2016-1255
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):released (184ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):released (154ubuntu1.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (173ubuntu0.1)
Ubuntu 17.04 (Zesty Zapus):released (179ubuntu0.1)
Patches:
Upstream:https://anonscm.debian.org/cgit/pkg-postgresql/postgresql-common.git/commit/?id=8b4d0a889a8287181c4bdf46462db9b737a6e25d
More Information

Updated: 2017-11-17 03:14:26 UTC (commit 13723)