From: Jonathan S. Katz Date: Thu, 8 Aug 2019 18:36:11 +0000 (-0400) Subject: PRs for 2019-08-08 cumulative security update. X-Git-Url: http://git.postgresql.org/gitweb/static/gitweb.js?a=commitdiff_plain;h=fda32f03e3407151a7c9ce73e7e0214ca9150ac7;p=press.git PRs for 2019-08-08 cumulative security update. --- diff --git a/update_releases/current/20190808securityrelease.md b/update_releases/current/20190808securityrelease.md new file mode 100644 index 0000000..d7cf15b --- /dev/null +++ b/update_releases/current/20190808securityrelease.md @@ -0,0 +1,200 @@ +2019-08-08 Cumulative Security Update +===================================== + +The PostgreSQL Global Development Group has released an update to all supported +versions of our database system, including 11.5, 10.10, 9.6.15, 9.5.19, and +9.4.24, as well as the third beta of PostgreSQL 12. This release fixes two +security issues in the PostgreSQL server, two security issues found in one of +the PostgreSQL Windows installers, and over 40 bugs reported since the previous +release. + +Users should install these updates as soon as possible. + +A Note on the PostgreSQL 12 Beta +-------------------------------- + +In the spirit of the open source PostgreSQL community, we strongly encourage you +to test the new features of PostgreSQL 12 in your database systems to help us +eliminate any bugs or other issues that may exist. While we do not advise you to +run PostgreSQL 12 Beta 3 in your production environments, we encourage you to +find ways to run your typical application workloads against this beta release. + +Your testing and feedback will help the community ensure that the PostgreSQL 12 +release upholds our standards of providing a stable, reliable release of the +world's most advanced open source relational database. + +Security Issues +--------------- + +Four security vulnerabilities have been closed by this release: + +* [CVE-2019-10208](https://access.redhat.com/security/cve/CVE-2019-10208): `TYPE` in `pg_temp` executes arbitrary SQL during `SECURITY DEFINER` execution + +Versions Affected: 9.4 - 11 + +Given a suitable `SECURITY DEFINER` function, an attacker can execute arbitrary +SQL under the identity of the function owner. An attack requires `EXECUTE` +permission on the function, which must itself contain a function call having +inexact argument type match. For example, `length('foo'::varchar)` and +`length('foo')` are inexact, while `length('foo'::text)` is exact. As part of +exploiting this vulnerability, the attacker uses `CREATE DOMAIN` to create a +type in a `pg_temp` schema. The attack pattern and fix are similar to that for +[CVE-2007-2138](https://nvd.nist.gov/vuln/detail/CVE-2007-2138). + +Writing `SECURITY DEFINER` functions continues to require +following the considerations noted in the documentation: + +[https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY](https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY) + +The PostgreSQL project thanks Tom Lane for reporting this problem. + +* [CVE-2019-10209](https://access.redhat.com/security/cve/CVE-2019-10209): Memory disclosure in cross-type comparison for hashed subplan + +Versions Affected: 11 + +In a database containing hypothetical, user-defined hash equality operators, +an attacker could read arbitrary bytes of server memory. For an attack to +become possible, a superuser would need to create unusual operators. It is +possible for operators not purpose-crafted for attack to have the properties +that enable an attack, but we are not aware of specific examples. + +The PostgreSQL project thanks Andreas Seltenreich for reporting this problem. + +* [CVE-2019-10210](https://access.redhat.com/security/cve/CVE-2019-10210): EnterpriseDB Windows installer writes PostgreSQL superuser password to unprotected temporary file + +Versions Affected: The EnterpriseDB Windows installer for versions 9.4 - 11 + +The EnterpriseDB Windows installer writes a password to a temporary file in its +installation directory, creates initial databases, and deletes the file. During +those seconds while the file exists, a local attacker can read the PostgreSQL +superuser password from the file. + +The PostgreSQL project thanks Noah Misch for reporting this problem. + +* [CVE-2019-10211](https://access.redhat.com/security/cve/CVE-2019-10211): EnterpriseDB Windows installer bundled OpenSSL executes code from unprotected directory + +Versions Affected: The EnterpriseDB Windows installer for versions 9.4 - 11 + +When the database server or libpq client library initializes SSL, libeay32.dll +attempts to read configuration from a hard-coded directory. Typically, the +directory does not exist, but any local user could create it and inject +configuration. This configuration can direct OpenSSL to load and execute +arbitrary code as the user running a PostgreSQL server or client. Most +PostgreSQL client tools and libraries use libpq, and one can encounter this +vulnerability by using any of them. This vulnerability is much like +[CVE-2019-5443](https://nvd.nist.gov/vuln/detail/CVE-2019-5443), but it originated +independently. One can work around the vulnerability by setting environment +variable OPENSSL_CONF to "NUL:/openssl.cnf" or any other name that cannot exist +as a file. + +The PostgreSQL project thanks Daniel Gustafsson of the curl security team for +reporting this problem. + +Bug Fixes and Improvements +-------------------------- + +This update also fixes over 40 bugs that were reported in the last several +months. Some of these issues affect only version 11, but many affect all +supported versions. + +Some of these fixes include: + +* Fix for `ALTER TABLE ... ALTER COLUMN TYPE` when multiple column types are +modified in a single-command. This issue was introduced in the previous +cumulative update (11.4, 10.9, 9.6.14, 9.5.18, 9.4.23, and 12 beta 2). +* Ensure that partition key columns will not be dropped as the result of an +"indirect drop," such as from a cascade from dropping the key column's data +type (e.g. a custom data type). This fix is applied only to newly created +partitioned tables: if you believe you have an affected partition table (e.g. +one where the partition key uses a custom data type), you will need to +create a new table and move your data into it or use `pg_upgrade`. +* Prevent dropping a partitioned table's trigger if there are pending trigger +events in child partitions. This particularly affects foreign key constraints, +which are implemented by triggers. +* Several additional fixes for partitioning, including a fix for partition +pruning that could lead to inefficient queries. +* Fix for parallel hash joins that could lead to duplicate result rows in +`EXISTS` queries. +* Several fixes for the query planner. +* Several fixes for issues that would lead to query deadlocks. +* Fix for multi-column foreign keys when rebuilding a foreign key constraint, +* Prevent extended statistics from being built for inherited tables. +* Fix for the canonicalization of date ranges that include `-infinity`/`infinity` +endpoints to ensure the behavior matches the documentation. +* Fix loss of fractional digits when converting very large `money` values to +`numeric`. +* Fix for PL/pgSQL functions that return composite types. +* Make libpq ignore the `\r` carriage return in connection service files, which +was causing connection failures in some edge cases. +* Several fixes for `psql`, which includes avoiding incorrect tab completion +options after `SET variable =`. +* Improve reliability of `contrib/amcheck`'s index verification. +* Set `initdb` to prefer the timezone behavior defined by the C library instead +of what is defined by `localtime` or `posixrules`. This ensures PostgreSQL uses +the "real" timezone name instead of an artificial name. +* Fix `pg_dump` to ensure that custom operator classes are dumped in the correct +order to prevent creating an unrestorable dump. +* Fix possible lockup in `pgbench` when using -R option. +* Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6. + +This update also contains tzdata release 2019b for DST law changes in Brazil, +plus historical corrections for Hong Kong, Italy, and Palestine. This update +also adds support for zic's new -b slim option to reduce the size of the +installed zone files, though it is not currently being used by PostgreSQL. + +For more details, you can read the full copy of the release notes here: + +[https://www.postgresql.org/docs/release/](https://www.postgresql.org/docs/release/) + +Updating +-------- + +All PostgreSQL update releases are cumulative. As with other minor releases, +users are not required to dump and reload their database or use `pg_upgrade` in +order to apply this update release; you may simply shutdown PostgreSQL and +update its binaries. + +Users who have skipped one or more update releases may need to run additional, +post-update steps; please see the release notes for earlier versions for +details. + +PostgreSQL 9.4 will stop receiving fixes on February 13, 2020. Please see our +[versioning policy](https://www.postgresql.org/support/versioning/) for more +information. + +Testing for Bugs & Compatibility +-------------------------------- + +The stability of each PostgreSQL release greatly depends on you, the community, +to test the upcoming version with your workloads and testing tools in order to +find bugs and regressions before the general availability of PostgreSQL 12. As +this is a Beta, minor changes to database behaviors, feature details, and APIs +are still possible. Your feedback and testing will help determine the final +tweaks on the new features, so please test in the near future. The quality of +user testing helps determine when we can make a final release. + +A list of [open issues](https://wiki.postgresql.org/wiki/PostgreSQL_12_Open_Items) +is publicly available in the PostgreSQL wiki. You can +[report bugs](https://www.postgresql.org/account/submitbug/) using this form on +the PostgreSQL website: + +https://www.postgresql.org/account/submitbug/ + +Beta Schedule +------------- + +This is the third beta release of version 12. The PostgreSQL Project will +release additional betas as required for testing, followed by one or more +release candidates, until the final release in late 2019. For further +information please see the [Beta Testing](https://www.postgresql.org/developer/beta/) page. + +Links +----- +* [Download](https://www.postgresql.org/download/) +* [Release Notes](https://www.postgresql.org/docs/release/) +* [Security Page](https://www.postgresql.org/support/security/) +* [Versioning Policy](https://www.postgresql.org/support/versioning/) +* [Beta Testing Information](https://www.postgresql.org/developer/beta/) +* [PostgreSQL 12 Beta Release Notes](https://www.postgresql.org/docs/devel/release-12.html) +* [PostgreSQL 12 Open Issues](https://wiki.postgresql.org/wiki/PostgreSQL_12_Open_Items) +* [Follow @postgresql on Twitter](https://twitter.com/postgresql) diff --git a/update_releases/current/20190808securityrelease.txt b/update_releases/current/20190808securityrelease.txt new file mode 100644 index 0000000..d5cf38a --- /dev/null +++ b/update_releases/current/20190808securityrelease.txt @@ -0,0 +1,200 @@ +2019-08-08 Cumulative Security Update +===================================== + +The PostgreSQL Global Development Group has released an update to all supported +versions of our database system, including 11.5, 10.10, 9.6.15, 9.5.19, and +9.4.24, as well as the third beta of PostgreSQL 12. This release fixes two +security issues in the PostgreSQL server, two security issues found in one of +the PostgreSQL Windows installers, and over 40 bugs reported since the previous +release. + +Users should install these updates as soon as possible. + +A Note on the PostgreSQL 12 Beta +-------------------------------- + +In the spirit of the open source PostgreSQL community, we strongly encourage you +to test the new features of PostgreSQL 12 in your database systems to help us +eliminate any bugs or other issues that may exist. While we do not advise you to +run PostgreSQL 12 Beta 3 in your production environments, we encourage you to +find ways to run your typical application workloads against this beta release. + +Your testing and feedback will help the community ensure that the PostgreSQL 12 +release upholds our standards of providing a stable, reliable release of the +world's most advanced open source relational database. + +Security Issues +--------------- + +Four security vulnerabilities have been closed by this release: + +* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during `SECURITY DEFINER` execution + +Versions Affected: 9.4 - 11 + +Given a suitable `SECURITY DEFINER` function, an attacker can execute arbitrary +SQL under the identity of the function owner. An attack requires `EXECUTE` +permission on the function, which must itself contain a function call having +inexact argument type match. For example, `length('foo'::varchar)` and +`length('foo')` are inexact, while `length('foo'::text)` is exact. As part of +exploiting this vulnerability, the attacker uses `CREATE DOMAIN` to create a +type in a `pg_temp` schema. The attack pattern and fix are similar to that for +CVE-2007-2138. + +Writing `SECURITY DEFINER` functions continues to require +following the considerations noted in the documentation: + +https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY + +The PostgreSQL project thanks Tom Lane for reporting this problem. + +* CVE-2019-10209: Memory disclosure in cross-type comparison for hashed subplan + +Versions Affected: 11 + +In a database containing hypothetical, user-defined hash equality operators, +an attacker could read arbitrary bytes of server memory. For an attack to +become possible, a superuser would need to create unusual operators. It is +possible for operators not purpose-crafted for attack to have the properties +that enable an attack, but we are not aware of specific examples. + +The PostgreSQL project thanks Andreas Seltenreich for reporting this problem. + +* CVE-2019-10210: EnterpriseDB Windows installer writes PostgreSQL superuser password to unprotected temporary file + +Versions Affected: The EnterpriseDB Windows installer for versions 9.4 - 11 + +The EnterpriseDB Windows installer writes a password to a temporary file in its +installation directory, creates initial databases, and deletes the file. During +those seconds while the file exists, a local attacker can read the PostgreSQL +superuser password from the file. + +The PostgreSQL project thanks Noah Misch for reporting this problem. + +* CVE-2019-10211: EnterpriseDB Windows installer bundled OpenSSL executes code from unprotected directory + +Versions Affected: The EnterpriseDB Windows installer for versions 9.4 - 11 + +When the database server or libpq client library initializes SSL, libeay32.dll +attempts to read configuration from a hard-coded directory. Typically, the +directory does not exist, but any local user could create it and inject +configuration. This configuration can direct OpenSSL to load and execute +arbitrary code as the user running a PostgreSQL server or client. Most +PostgreSQL client tools and libraries use libpq, and one can encounter this +vulnerability by using any of them. This vulnerability is much like +CVE-2019-5443, but it originated +independently. One can work around the vulnerability by setting environment +variable OPENSSL_CONF to "NUL:/openssl.cnf" or any other name that cannot exist +as a file. + +The PostgreSQL project thanks Daniel Gustafsson of the curl security team for +reporting this problem. + +Bug Fixes and Improvements +-------------------------- + +This update also fixes over 40 bugs that were reported in the last several +months. Some of these issues affect only version 11, but many affect all +supported versions. + +Some of these fixes include: + +* Fix for `ALTER TABLE ... ALTER COLUMN TYPE` when multiple column types are +modified in a single-command. This issue was introduced in the previous +cumulative update (11.4, 10.9, 9.6.14, 9.5.18, 9.4.23, and 12 beta 2). +* Ensure that partition key columns will not be dropped as the result of an +"indirect drop," such as from a cascade from dropping the key column's data +type (e.g. a custom data type). This fix is applied only to newly created +partitioned tables: if you believe you have an affected partition table (e.g. +one where the partition key uses a custom data type), you will need to +create a new table and move your data into it or use `pg_upgrade`. +* Prevent dropping a partitioned table's trigger if there are pending trigger +events in child partitions. This particularly affects foreign key constraints, +which are implemented by triggers. +* Several additional fixes for partitioning, including a fix for partition +pruning that could lead to inefficient queries. +* Fix for parallel hash joins that could lead to duplicate result rows in +`EXISTS` queries. +* Several fixes for the query planner. +* Several fixes for issues that would lead to query deadlocks. +* Fix for multi-column foreign keys when rebuilding a foreign key constraint, +* Prevent extended statistics from being built for inherited tables. +* Fix for the canonicalization of date ranges that include `-infinity`/`infinity` +endpoints to ensure the behavior matches the documentation. +* Fix loss of fractional digits when converting very large `money` values to +`numeric`. +* Fix for PL/pgSQL functions that return composite types. +* Make libpq ignore the `\r` carriage return in connection service files, which +was causing connection failures in some edge cases. +* Several fixes for `psql`, which includes avoiding incorrect tab completion +options after `SET variable =`. +* Improve reliability of `contrib/amcheck`'s index verification. +* Set `initdb` to prefer the timezone behavior defined by the C library instead +of what is defined by `localtime` or `posixrules`. This ensures PostgreSQL uses +the "real" timezone name instead of an artificial name. +* Fix `pg_dump` to ensure that custom operator classes are dumped in the correct +order to prevent creating an unrestorable dump. +* Fix possible lockup in `pgbench` when using -R option. +* Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6. + +This update also contains tzdata release 2019b for DST law changes in Brazil, +plus historical corrections for Hong Kong, Italy, and Palestine. This update +also adds support for zic's new -b slim option to reduce the size of the +installed zone files, though it is not currently being used by PostgreSQL. + +For more details, you can read the full copy of the release notes here: + +https://www.postgresql.org/docs/release/ + +Updating +-------- + +All PostgreSQL update releases are cumulative. As with other minor releases, +users are not required to dump and reload their database or use `pg_upgrade` in +order to apply this update release; you may simply shutdown PostgreSQL and +update its binaries. + +Users who have skipped one or more update releases may need to run additional, +post-update steps; please see the release notes for earlier versions for +details. + +PostgreSQL 9.4 will stop receiving fixes on February 13, 2020. Please see our +versioning policy for more +information. + +Testing for Bugs & Compatibility +-------------------------------- + +The stability of each PostgreSQL release greatly depends on you, the community, +to test the upcoming version with your workloads and testing tools in order to +find bugs and regressions before the general availability of PostgreSQL 12. As +this is a Beta, minor changes to database behaviors, feature details, and APIs +are still possible. Your feedback and testing will help determine the final +tweaks on the new features, so please test in the near future. The quality of +user testing helps determine when we can make a final release. + +A list of open issues +is publicly available in the PostgreSQL wiki. You can +report bugs using this form on +the PostgreSQL website: + +https://www.postgresql.org/account/submitbug/ + +Beta Schedule +------------- + +This is the third beta release of version 12. The PostgreSQL Project will +release additional betas as required for testing, followed by one or more +release candidates, until the final release in late 2019. For further +information please see the Beta Testing page. + +Links +----- +* Download: https://www.postgresql.org/download/ +* Release Notes: https://www.postgresql.org/docs/release/ +* Security Page: https://www.postgresql.org/support/security/ +* Versioning Policy: https://www.postgresql.org/support/versioning/ +* Beta Testing Information: https://www.postgresql.org/developer/beta/ +* PostgreSQL 12 Beta Release Notes: https://www.postgresql.org/docs/devel/release-12.html +* PostgreSQL 12 Open Issues: https://wiki.postgresql.org/wiki/PostgreSQL_12_Open_Items +* Follow @postgresql on Twitter: https://twitter.com/postgresql