CVE-2019-10164
Published: 20 June 2019
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
Priority
Medium
CVSS 3 base score: 8.8
Status
| Package | Release | Status |
|---|---|---|
|
postgresql-10 Launchpad, Ubuntu, Debian |
Upstream |
Released
(10.9)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(10.9-0ubuntu0.18.04.1)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
postgresql-11 Launchpad, Ubuntu, Debian |
Upstream |
Released
(11.4)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
Upstream |
Not vulnerable
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
postgresql-9.3 Launchpad, Ubuntu, Debian |
Upstream |
Not vulnerable
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
|
|
|
postgresql-9.5 Launchpad, Ubuntu, Debian |
Upstream |
Not vulnerable
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
Notes
| Author | Note |
|---|---|
| mdeslaur | 10.x, 11.x and 12.x only |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164
- https://www.postgresql.org/about/news/1949/
- https://usn.ubuntu.com/usn/usn-4027-1
- NVD
- Launchpad
- Debian