PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 released

Post Syndicated from corbet original https://lwn.net/Articles/771145/rss

There is a whole new set of PostgreSQL releases out there, the main purpose
of which is to include an important security fix.
Using a purpose-crafted trigger definition, an attacker can run
arbitrary SQL statements with superuser privileges when a superuser runs
`pg_upgrade` on the database or during a pg_dump dump/restore cycle.
This attack requires a `CREATE` privilege on some non-temporary schema
or a `TRIGGER` privilege on a table. This is exploitable in the default
PostgreSQL configuration, where all users have `CREATE` privilege on
`public` schema.
” Note that this is the final update for the 9.3
series; users on that version should be planning an upgrade in the near
future.