git: 4132a67c6395 - main - databases/pg_partman: arbitrary code execution
Palle Girgensohn
girgen at FreeBSD.org
Mon May 24 15:58:53 UTC 2021
The branch main has been updated by girgen:
URL: https://cgit.FreeBSD.org/ports/commit/?id=4132a67c6395dd389c143a51fe518eccb3562cee
commit 4132a67c6395dd389c143a51fe518eccb3562cee
Author: Palle Girgensohn <girgen at FreeBSD.org>
AuthorDate: 2021-05-24 15:54:05 +0000
Commit: Palle Girgensohn <girgen at FreeBSD.org>
CommitDate: 2021-05-24 15:57:00 +0000
databases/pg_partman: arbitrary code execution
Security: CVE-2021-33204
---
security/vuxml/vuln.xml | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index a9740e07659b..e37ea0114c78 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -76,6 +76,37 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="58b22f3a-bc71-11eb-b9c9-6cc21735f730">
+ <topic>PG Partition Manager -- arbitrary code execution</topic>
+ <affects>
+ <package>
+ <name>pg_partman</name>
+ <range><lt>4.5.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>PG Partition Manager reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-33204">
+ <p>
+ In the pg_partman (aka PG Partition Manager) extension before 4.5.1
+ for PostgreSQL, arbitrary code execution can be achieved via
+ SECURITY DEFINER functions because an explicit search_path is not
+ set.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-33204</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2021-33204</url>
+ </references>
+ <dates>
+ <discovery>2021-05-21</discovery>
+ <entry>2021-05-24</entry>
+ </dates>
+ </vuln>
+
<vuln vid="5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9">
<topic>texproc/expat2 -- billion laugh attack</topic>
<affects>
More information about the dev-commits-ports-all
mailing list