Red Hat has issued an update for postgresql. This fixes a vulnerability in which certain host connection parameters defeat client-side security defenses
Libpq, the default PostgreSQL client library, was found to be vulnerable as libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with “host” or “hostaddr” connection parameters from untrusted input, attackers could bypass client-side connection security features, which enables them to acquire access to higher privileged connections or potentially cause other impacts through SQL injection, by causing the PQescape() functions to malfunction.
An attacker can only exploit this vulnerability by providing or influencing connection parameters to a PostgreSQL client application using libpq. Contrib modules “dblink” and “postgres_fdw” are examples of applications affected by this flaw.Red Hat Virtualization includes vulnerable versions of postgresql.
However, this flaw is not known to be exploitable under any supported configuration of Red Hat Virtualization. A future update may address this issue.Red Hat has issued updates for fixing the said vulnerability.
Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected in:
Follow the link for further guidance on how to apply updates: