Severity High
Remote No
Type Privilege escalation
A vulnerability has been discovered in PostgreSQL when the startup log file for the postmaster (in newer releases, "postgres") process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data. This vulnerability allows database administrator to modify root-owned files and therefor potentially leads to privilege escalation.
The fix ensures that the startup log file is opened as the user specified to run the PostgreSQL server. Any users who have made use of the start scripts will need to ensure the startup log files are owned by the user specified to run the PostgreSQL server.
Group Package Affected Fixed Severity Status Ticket
AVG-488 postgresql-old-upgrade 9.6.5-1 9.6.6-1 High Not affected
AVG-487 postgresql 10.0-1 10.1-1 High Not affected