The PostgreSQL Global Development Group has released an update to all supported versions of the PostgreSQL database system, including 10.3, 9.6.8, 9.5.12, 9.4.17, and 9.3.22.
The purpose of this release is to address CVE-2018-1058, which describes how a user can create like-named objects in different schemas that can change the behavior of other users' queries and cause unexpected or malicious behavior, also known as a "trojan-horse" attack. Most of this release centers around added documentation that describes the issue and how to take steps to mitigate the impact on PostgreSQL databases.
We strongly encourage all of our users to please visit A Guide to CVE-2018-1058: Protect Your Search Path for a detailed explanation of CVE-2018-1058 and how to protect your PostgreSQL installations.
After evaluating the documentation for CVE-2018-1058, a database administrator may need to take follow up steps on their PostgreSQL installations to ensure they are protected from exploitation.
One security vulnerability is addressed in this release:
Please visit A Guide to CVE-2018-1058: Protect Your Search Path for a full explanation of the CVE-2018-1058.
This update fixes several bugs reported since the last cumulative update. Some of these issues affect only version 10, but many affect all supported versions. These fixes include:
The PostgreSQL Global Development Group would like to thank Arseniy Sharoglazov for reporting CVE-2018-1058 to the security team.