DRAFT: FDW security advisories (mysql_fdw / mongo_fdw / hdfs_fdw)#7189
Closed
vtran-edb wants to merge 5 commits into
Closed
DRAFT: FDW security advisories (mysql_fdw / mongo_fdw / hdfs_fdw)#7189vtran-edb wants to merge 5 commits into
vtran-edb wants to merge 5 commits into
Conversation
Add seven draft CVE advisories for the MySQL, MongoDB, and HDFS foreign data wrappers, formatted to the security advisory template, plus the regenerated advisories index. DRAFT for dev-team review before publication. Placeholders remain: - CVE IDs (CVE-YYYY-NNNN) pending assignment - First Published dates and first-fix release versions - CVE-G (mongo_fdw ObjectId OOB read) has an unresolved traceability gap and MUST NOT be published until commit 5d48478 is reviewed. index.mdx regenerated via tools/automation/generators/advisoryindex. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…5d48478) The mongo_fdw ObjectId out-of-bounds fix was supplied as FDW-753 patch v333-0002 (commit 5d48478) and has now been reviewed and confirmed: 12-byte bytea length check in append_mongo_value() and a bson_oid_is_valid() gate in bsonOidFromString(), with a regression test. Resolves the earlier traceability gap; CVE-G is no longer a publication blocker. Remains borderline pending PSIRT's CVE determination. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…advisories A-D The final squashed mysql_fdw commits were supplied as FDW-754 patches v4444-0003 (8d01880, SQL injection) and v4444-0004 (cad96fe, superuser gating) and have now been reviewed and confirmed: - CVE-A: NO_BACKSLASH_ESCAPES + single-quote-only escaping (multibyte charset fix) present in v4444-0003 (was previously only in FDW-759). - CVE-B: v4444-0004 gates init_command AND mysql_default_file/ssl_* (both facets; the file-read gating was absent from the v1 patch). - CVE-C/D: analyze/IMPORT/sql_mode escaping and hostile-server IMPORT DDL quoting confirmed. Remediation references updated to cite the reviewed final patches. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…sory The final squashed hdfs_fdw commits were supplied as FDW-755 patches v22-0002 (657029b, HiveQL injection + credential exposure) and v22-0001 (4aa0df9, hardening) and have now been reviewed and confirmed: - CVE-F (v22-0002): single-quote doubling in hdfs_deparse_string(), trustStorePassword redaction (C DEBUG3 + JDBC), explicit_bzero of credentials and the connstr buffer. - Companion hardening (v22-0001, no CVE): dbname/table_name identifier validation and removal of the dummy userName/password fallback. The exploitable-vs-hardening split holds in the final versions. Remediation reference updated to cite the reviewed final patch. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…62157) Replace the CVE-YYYY-NNNN placeholders with the reserved EDB CNA IDs and rename the files to the cve<year><number>.mdx convention: cve202662151 A mysql_fdw multibyte-charset SQL injection cve202662152 B mysql_fdw privileged connection options cve202662153 C mysql_fdw SQLi via ANALYZE/IMPORT/sql_mode cve202662154 D mysql_fdw local injection from hostile server on IMPORT cve202662155 E mongo_fdw connection-URI injection cve202662156 F hdfs_fdw HiveQL injection cve202662157 G mongo_fdw ObjectId out-of-bounds read Indexes regenerated via tools/automation/generators/advisoryindex. Still draft: First Published dates and first-fix release versions remain to be set before publication. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Closing and removing this branch. These draft FDW security advisories (CVE-2026-62151..62157) are being migrated to the internal EnterpriseDB/docs-editorial repository, per the CVE Handling SOP — security advisories are authored and reviewed there, not in the public docs repo. Removing the pre-publication CVE content from the public repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Draft security advisories for the three foreign data wrappers, covering the vulnerabilities fixed under FDW-753 / FDW-754 / FDW-755 / FDW-759. Seven advisory
.mdxfiles (formatted tocve.mdx.template) plus the regenerated indexes.Still a DRAFT — CVE IDs are now assigned, but First Published dates and first-fix release versions remain to be set before publication.
Advisories
CVE IDs reserved from the EDB CNA on 2026-07-13. All fixes reviewed against the final patch series (mongo
v333, mysqlv4444, hdfsv22).Remaining before publishing
TBD(advisories group under a "Released TBD" section until set).tools/automation/generators/advisoryindexafter dates are set so the index regroups by year.Reviewer notes
authentication_database/replica_setare server options), not a plain user mapping; the low-privilege vector is connection redirection. See the advisory's Note block.5d48478, FDW-753v333-0002) has been reviewed and confirmed.index.mdxandsecurity/index.mdxwere regenerated with the official generator (not hand-edited).🤖 Generated with Claude Code