安全公告详情

NS-SA-2019-0006

2019-07-17 14:54:04

简介

critical: postgresql/thunderbird security update

严重级别

critical

主题

An update for postgresql/thunderbird is now available for NewStart CGSL MAIN 5.04.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

postgresql: PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package.
thunderbird: Mozilla Thunderbird is a standalone mail and newsgroup client.


Security Fix(es):
postgresql: Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.(CVE-2017-15097)
postgresql: Privilege escalation flaws were found in the initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.(CVE-2017-12172)
postgresql: bugfix
thunderbird: A use-after-free vulnerability can occur when flushing and resizing layout because the "PressShell" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.(CVE-2017-7828)
thunderbird: Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.(CVE-2017-7826)
thunderbird: The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.(CVE-2017-7830)
thunderbird: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F1.

影响组件

  • postgresql
  • thunderbird

影响产品

  • CGSL MAIN 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["postgresql-9.2.23-3.el7_4.x86_64.rpm","postgresql-contrib-9.2.23-3.el7_4.x86_64.rpm","postgresql-debuginfo-9.2.23-3.el7_4.x86_64.rpm","postgresql-devel-9.2.23-3.el7_4.x86_64.rpm","postgresql-docs-9.2.23-3.el7_4.x86_64.rpm","postgresql-libs-9.2.23-3.el7_4.x86_64.rpm","postgresql-plperl-9.2.23-3.el7_4.x86_64.rpm","postgresql-plpython-9.2.23-3.el7_4.x86_64.rpm","postgresql-pltcl-9.2.23-3.el7_4.x86_64.rpm","postgresql-server-9.2.23-3.el7_4.x86_64.rpm","postgresql-static-9.2.23-3.el7_4.x86_64.rpm","postgresql-test-9.2.23-3.el7_4.x86_64.rpm","postgresql-upgrade-9.2.23-3.el7_4.x86_64.rpm"],"source":"postgresql-9.2.23-3.el7_4.src.rpm"},{"binary":["thunderbird-52.5.0-1.el7.centos.x86_64.rpm","thunderbird-debuginfo-52.5.0-1.el7.centos.x86_64.rpm"],"source":"thunderbird-52.5.0-1.el7.centos.src.rpm"}]}]}

CVE

参考