{"id":"MGASA-2018-0137","summary":"Updated postgresql packages fix security vulnerability","details":"In postgresql 9.4.x before 9.4.16 and 9.6.x before 9.6.7, pg_upgrade creates\nfile in current working directory containing the output of `pg_dumpall -g`\nunder umask which was in effect when the user invoked pg_upgrade, and not\nunder 0077 which is normally used for other temporary files. This can allow\nan authenticated attacker to read or modify the one file, which may contain\nencrypted or unencrypted database passwords. The attack is infeasible if a\ndirectory mode blocks the attacker searching the current working directory or\nif the prevailing umask blocks the attacker opening the file (CVE-2018-1053).\n\nNote that on Mageia 5, only the postgresql9.4 update is being provided.  Users\nof the postgresql9.3 package should migrate to 9.4.\n","modified":"2026-04-16T06:24:11.024555741Z","published":"2018-02-24T23:25:24Z","upstream":["CVE-2018-1053"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0137.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22556"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.4/static/release-9-4-16.html"},{"type":"WEB","url":"https://www.postgresql.org/docs/9.6/static/release-9-6-7.html"},{"type":"WEB","url":"https://www.postgresql.org/about/news/1829/"}],"affected":[{"package":{"name":"postgresql9.4","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/postgresql9.4?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.4.16-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0137.json"}},{"package":{"name":"postgresql9.4","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/postgresql9.4?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.4.16-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0137.json"}},{"package":{"name":"postgresql9.6","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/postgresql9.6?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.6.7-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0137.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}