Re: CVE-2018-1058

Hi Karan,

the vulnerability affects the DB in its whole.

As i read it, the fix is about:

'Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)

pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well.'

(taken from https://www.postgresql.org/docs/current/static/release-9-6-8.html )

Maybe you want to have a look to the page where the vulnerability is explained in detail:

https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path

It is in my opinion an excellent guide to understand CVE-2018-1058

Regards,

fabio pardi

On 03/17/2018 12:34 AM, karan sharma wrote:
> Please help me understand about security patch.
> "CVE-2018-1058"
>
> The changes seen are only in pg_dump. Why I have to do the query part separately?. It should be solved by default. 
>
> Is there anything else fixed in the patch ?