Daniel Gustafsson

**Name of the Vulnerable Software and Affected Versions** cURL versions (affected versions not specified) **Description** The issue is related to an error in the logic for removing protocols when a protocol selection parameter option disables all protocols without adding any. This allows the default set of protocols to remain in the allowed set. The flaw can be demonstrated with the command `curl --proto -all,-http http://curl.se`, which performs a request to curl.se with a plaintext protocol that has been explicitly disabled. The curl security team has assessed this as a low severity bug, noting it is unlikely to be encountered in real situations due to its impractical use case. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Postgresql versions prior to 11.5 Postgresql versions prior to 10.10 Postgresql versions prior to 9.6.15 Postgresql versions prior to 9.5.19 Postgresql versions prior to 9.4.24 **Description** The issue is related to the Postgresql Windows installer, which is vulnerable due to the bundled OpenSSL executing code from an unprotected directory. This vulnerability is associated with errors in code generation management, which can be exploited to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 11.5, update to version 11.5 or later. For versions prior to 10.10, update to version 10.10 or later. For versions prior to 9.6.15, update to version 9.6.15 or later. For versions prior to 9.5.19, update to version 9.5.19 or later. For versions prior to 9.4.24, update to version 9.4.24 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 9.3.x through 9.3.16 PostgreSQL versions 9.4.x through 9.4.11 PostgreSQL versions 9.5.x through 9.5.6 PostgreSQL versions 9.6.x through 9.6.2 **Description** The issue is related to the libpq library in the PostgreSQL database management system, where the lack of enforced TLS connection usage is a concern. This could allow a remote attacker to perform a Man-in-the-Middle attack, potentially stripping the SSL/TLS protection from a connection between a client and a server. The PGREQUIRESSL environment variable was found to no longer enforce a SSL/TLS connection to a PostgreSQL server. **Recommendations** For PostgreSQL versions 9.3.x through 9.3.16, update to version 9.3.17 or later. For PostgreSQL versions 9.4.x through 9.4.11, update to version 9.4.12 or later. For PostgreSQL versions 9.5.x through 9.5.6, update to version 9.5.7 or later. For PostgreSQL versions 9.6.x through 9.6.2, update to version 9.6.3 or later.