|Description||PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|postgresql-11 (PTS)||buster, buster (security)||11.5-1+deb10u1||fixed|
|postgresql-9.6 (PTS)||stretch (security), stretch||9.6.15-0+deb9u1||fixed|
The information below is based on the following data on fixed versions.
- postgresql-9.6 <not-affected> (Only affects 10.x and later)
- postgresql-9.4 <not-affected> (Only affects 10.x and later)