Re: CVE-2018-1058

Hi Karan,


the vulnerability affects the DB in its whole.

As i read it, the fix is about:

'Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)

pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of
hijackingdescribed in the previous changelog entry; since these applications are commonly run by superusers, they
presentparticularly attractive targets. To make them secure whether or not the installation as a whole has been
secured,modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes
nowdo the same, as well.'
 

(taken from https://www.postgresql.org/docs/current/static/release-9-6-8.html )


Maybe you want to have a look to the page where the vulnerability is explained in detail:

https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path 

It is in my opinion an excellent guide to understand CVE-2018-1058


Regards,

fabio pardi



On 03/17/2018 12:34 AM, karan sharma wrote:
> Please help me understand about security patch.
> "CVE-2018-1058"
> 
> The changes seen are only in pg_dump. Why I have to do the query part separately?. It should be solved by default. 
> 
> Is there anything else fixed in the patch ?