FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  496343
Date:      2019-03-20
Time:      14:04:46Z
Committer: mfechner

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ca16fd0b-5fd1-11e6-a6f2-6cc21735f730PostgreSQL -- Denial-of-Service and Code Injection Vulnerabilities

PostgreSQL project reports:

Security Fixes nested CASE expressions + database and role names with embedded special characters

  • CVE-2016-5423: certain nested CASE expressions can cause the server to crash.
  • CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall.

Discovery 2016-08-11
Entry 2016-08-11
postgresql91-server
ge 9.1.0 lt 9.1.23

postgresql92-server
ge 9.2.0 lt 9.2.18

postgresql93-server
ge 9.3.0 lt 9.3.11

postgresql94-server
ge 9.4.0 lt 9.4.9

postgresql95-server
ge 9.5.0 lt 9.5.4

CVE-2016-5423
CVE-2016-5424
982872f1-7dd3-11e7-9736-6cc21735f730PostgreSQL vulnerabilities

The PostgreSQL project reports:

  • CVE-2017-7546: Empty password accepted in some authentication methods
  • CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges
  • CVE-2017-7548: lo_put() function ignores ACLs

Discovery 2017-08-10
Entry 2017-08-10
postgresql92-server
ge 9.2.0 lt 9.2.22

postgresql93-server
ge 9.3.0 lt 9.3.18

postgresql94-server
ge 9.4.0 lt 9.4.13

postgresql95-server
ge 9.5.0 lt 9.5.8

postgresql96-server
ge 9.6.0 lt 9.6.4

CVE-2017-7546
CVE-2017-7547
CVE-2017-7548
1c27a706-e3aa-11e8-b77a-6cc21735f730PostgreSQL -- SQL injection in pg_upgrade and pg_dump

The PostgreSQL project reports:

CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING.

Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.


Discovery 2018-11-08
Entry 2018-11-08
postgresql10-server
lt 10.6

postgresql96-server
lt 9.6.11

postgresql95-server
lt 9.5.15

postgresql94-server
lt 9.4.20

postgresql93-server
lt 9.3.25

https://www.postgresql.org/about/news/1905/
CVE-2018-16850
e3eeda2e-1d67-11e8-a2ec-6cc21735f730PostgreSQL vulnerabilities

The PostgreSQL project reports:

  • CVE-2018-1058: Uncontrolled search path element in pg_dump and other client applications

Discovery 2018-03-01
Entry 2018-03-01
postgresql93-server
ge 9.3.0 lt 9.3.22

postgresql94-server
ge 9.4.0 lt 9.4.17

postgresql95-server
ge 9.5.0 lt 9.5.12

postgresql96-server
ge 9.6.0 lt 9.6.8

postgresql10-server
ge 10.0 lt 10.3

https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
CVE-2018-1058
97a24d2e-f74c-11e5-8458-6cc21735f730PostgreSQL -- minor security problems.

PostgreSQL project reports:

Security Fixes for RLS, BRIN

This release closes security hole CVE-2016-2193 (https://access.redhat.com/security/cve/CVE-2016-2193), where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query.

The update also fixes CVE-2016-3065 (https://access.redhat.com/security/cve/CVE-2016-3065), a server crash bug triggered by using `pageinspect` with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue.


Discovery 2016-03-01
Entry 2016-03-31
postgresql95-server
postgresql95-contrib
ge 9.5.0 lt 9.5.2

CVE-2016-2193
CVE-2016-3065
e8b6605b-d29f-11e5-8458-6cc21735f730PostgreSQL -- Security Fixes for Regular Expressions, PL/Java.

PostgreSQL project reports:

Security Fixes for Regular Expressions, PL/Java

  • CVE-2016-0773: This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input.
  • CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser

Discovery 2016-02-08
Entry 2016-02-12
postgresql91-server
ge 9.1.0 lt 9.1.20

postgresql92-server
ge 9.2.0 lt 9.2.15

postgresql93-server
ge 9.3.0 lt 9.3.11

postgresql94-server
ge 9.4.0 lt 9.4.6

postgresql95-server
ge 9.5.0 lt 9.5.1

CVE-2016-0773
CVE-2016-0766
96eab874-9c79-11e8-b34b-6cc21735f730PostgreSQL -- two vulnerabilities

The PostgreSQL project reports:

CVE-2018-10915: Certain host connection parameters defeat client-side security defenses

libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the "dblink" or "postgres_fdw" extensions, to login to servers they should not be able to access.

CVE-2018-10925: Memory disclosure and missing authorization in `INSERT ... ON CONFLICT DO UPDATE`

An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.


Discovery 2018-08-09
Entry 2018-08-10
postgresql10-server
lt 10.5

postgresql96-server
lt 9.6.10

postgresql95-server
lt 9.5.14

postgresql94-server
lt 9.4.19

postgresql93-server
lt 9.3.24

https://www.postgresql.org/about/news/1878/
CVE-2018-10915
CVE-2018-10925
414c18bf-3653-11e7-9550-6cc21735f730PostgreSQL vulnerabilities

The PostgreSQL project reports:

Security Fixes nested CASE expressions + database and role names with embedded special characters

  • CVE-2017-7484: selectivity estimators bypass SELECT privilege checks.
  • CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
  • CVE-2017-7486: pg_user_mappings view discloses foreign server passwords. This applies to new databases, see the release notes for the procedure to apply the fix to an existing database.

Discovery 2017-05-11
Entry 2017-05-11
postgresql92-client
ge 9.2.0 lt 9.2.20

postgresql93-client
ge 9.3.0 lt 9.3.16

postgresql94-client
ge 9.4.0 lt 9.4.11

postgresql95-client
ge 9.5.0 lt 9.5.6

postgresql96-client
ge 9.6.0 lt 9.6.2

postgresql92-server
ge 9.2.0 lt 9.2.20

postgresql93-server
ge 9.3.0 lt 9.3.16

postgresql94-server
ge 9.4.0 lt 9.4.11

postgresql95-server
ge 9.5.0 lt 9.5.6

postgresql96-server
ge 9.6.0 lt 9.6.2

CVE-2016-5423
CVE-2016-5424
1f02af5d-c566-11e7-a12d-6cc21735f730PostgreSQL vulnerabilities

The PostgreSQL project reports:

  • CVE-2017-15098: Memory disclosure in JSON functions
  • CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges

Discovery 2017-10-10
Entry 2017-11-09
postgresql92-server
ge 9.2.0 lt 9.2.24

postgresql93-server
ge 9.3.0 lt 9.3.20

postgresql94-server
ge 9.4.0 lt 9.4.15

postgresql95-server
ge 9.5.0 lt 9.5.10

postgresql96-server
ge 9.6.0 lt 9.6.6

postgresql10-server
ge 10.0 lt 10.1

CVE-2017-15099
CVE-2017-15098
c602c791-0cf4-11e8-a2ec-6cc21735f730PostgreSQL vulnerabilities

The PostgreSQL project reports:

  • CVE-2018-1052: Fix the processing of partition keys containing multiple expressions (only for PostgreSQL-10.x)
  • CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are non-world-readable

Discovery 2018-02-05
Entry 2018-02-08
postgresql93-server
ge 9.3.0 lt 9.3.21

postgresql94-server
ge 9.4.0 lt 9.4.16

postgresql95-server
ge 9.5.0 lt 9.5.11

postgresql96-server
ge 9.6.0 lt 9.6.7

postgresql10-server
ge 10.0 lt 10.2

CVE-2018-1052
CVE-2018-1053