CVE-2019-3466 outstanding when postgresql-all = 10+190ubuntu0.1

[stevegnz]

cvescan reports an issue with CVE-2019-3466 when the packages are at "10+" but the changelog for those packages indicate they are patched.

✅ Ubuntu vulnerability database successfully downloaded! ✅ Scan complete!

CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY CVE-2019-3466 medium postgresql-all 190ubuntu0.1 Ubuntu Archive

Summary

---

Ubuntu Release bionic Installed Packages 969 CVE Priority All Unique Packages Fixable by Patching 1 Unique CVEs Fixable by Patching 1 Vulnerabilities Fixable by Patching 1 Fixes Available by apt-get upgrade 1

---

Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-================================================-=============================-=============================-===================================================================================================== ii postgresql-all 10+190ubuntu0.1 all metapackage depending on all PostgreSQL server packages

Get:1 https://changelogs.ubuntu.com postgresql-common 190ubuntu0.1 Changelog [188 kB] postgresql-common (190ubuntu0.1) bionic-security; urgency=medium

• SECURITY UPDATE: Privilege Escalation via Arbitrary Directory Creation

  • pg_ctlcluster: Drop privileges before creating socket and stats temp directories outside /var/run/postgresql. The default configuration is not affected by this change. Users with directories on volatile storage (tmpfs) in other locations have to make sure the parent directory is writable for the cluster owner.
  • Thanks to Rich Mirch and Christoph Berg.
  • CVE-2019-3466

  -- Marc Deslauriers marc.deslauriers@ubuntu.com Wed, 13 Nov 2019 10:21:57 -0500