CVE-2018-10925 (retired)

Priority
Description
It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14,
9.4.19, and 9.3.24 failed to properly check authorization on certain
statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker
with "CREATE TABLE" privileges could exploit this to read arbitrary bytes
server memory. If the attacker also had certain "INSERT" and limited
"UPDATE" privileges to a particular table, they could exploit this to
update other columns in the same table.
Notes
 debian> Only affects PostgreSQL 9.5 onwards
Package
Upstream:released (10.5-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (10.5-0ubuntu0.18.04)
Package
Upstream:not-affected (code not present)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:not-affected (code not present)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (9.5.14)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (9.5.14-0ubuntu0.16.04)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2019-09-19 16:05:23 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)