CFEngine 3.12.2-3, 3.14.0-2 released (mitigating CVE-2019-10164)

Posted by:

06 Aug 2019

On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for
3.12.2 and 3.14.0. This release addresses CVE-2019-10164.

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are
vulnerable to a stack-based buffer overflow. Any authenticated user can overflow
a stack-based buffer by changing the user’s own password to a purpose-crafted
value. This often suffices to execute arbitrary code as the PostgreSQL operating
system account.

CFEngine Enterprise LTS versions 3.12.0, 3.12.1, 3.12.2-1, 3.12.2-2, and non-LTS
version 3.14.0 vendor PostgreSQL versions affected by this vulnerability. In the
default configuration as access to root or cfpostgres
local users must be achieved first.

The replacement hub packages can be found on the downloads page.

If you have any questions about this, please email

Nick Anderson