PostgreSQL: SQL injection

PostgreSQL: SQL injection A SQL injection in PostgreSQL may allow attackers to execute arbitrary SQL statements. postgresql 2018-11-30 2018-12-03 670724 remote 9.3.25 9.4.20 9.5.15 9.6.11 10.6 11.1 9.3.25 9.4.20 9.5.15 9.6.11 10.6 11.1

PostgreSQL is an open source object-relational database management system.

A vulnerability was discovered in PostgreSQL’s pg_upgrade and pg_dump.

An attacker, by enticing a user to process a specially crafted trigger definition, can execute arbitrary SQL statements with superuser privileges.

There is no known workaround at this time.

All PostgreSQL 9.3.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.25"

All PostgreSQL 9.4.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.20"

All PostgreSQL 9.5.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.15"

All PostgreSQL 9.6.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.11"

All PostgreSQL 10.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.6"

All PostgreSQL 11.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.1"

CVE-2018-16850 b-man b-man