postgresql: Multiple vulnerabilities (CVE-2019-10208, CVE-2019-10209)
CVE-2019-10208: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution
Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text) is exact. As part of exploiting this vulnerability, the attacker uses CREATE DOMAIN to create a type in a pg_temp schema. The attack pattern and fix are similar to that for CVE-2007-2138.
Fixed In Version:
postgresql 11.5, postgresql 10.10, postgresql 9.6.15, postgresql 9.5.19, postgresql 9.4.24
References:
https://www.postgresql.org/about/news/1960/
CVE-2019-10209: Memory disclosure in cross-type comparison for hashed subplan
In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples.
Only affects Postgresql 11, so alpine v3.7 and v3.8 is not affected.
Fixed In Version:
postgresql 11.5
References:
https://www.postgresql.org/about/news/1960/