Headline
Ubuntu Security Notice USN-5906-1
Ubuntu Security Notice 5906-1 - Jacob Champion discovered that the PostgreSQL client incorrectly handled Kerberos authentication. If a user or automated system were tricked into connecting to a malicious server, a remote attacker could possibly use this issue to obtain sensitive information.
==========================================================================
Ubuntu Security Notice USN-5906-1
March 02, 2023
postgresql-12, postgresql-14 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
PostgreSQL could be made to expose sensitive information over the network.
Software Description:
- postgresql-14: Object-relational SQL database
- postgresql-12: Object-relational SQL database
Details:
Jacob Champion discovered that the PostgreSQL client incorrectly handled
Kerberos authentication. If a user or automated system were tricked into
connecting to a malicious server, a remote attacker could possibly use this
issue to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
postgresql-14 14.7-0ubuntu0.22.10.1
postgresql-client-14 14.7-0ubuntu0.22.10.1
Ubuntu 22.04 LTS:
postgresql-14 14.7-0ubuntu0.22.04.1
postgresql-client-14 14.7-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
postgresql-12 12.14-0ubuntu0.20.04.1
postgresql-client-12 12.14-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5906-1
CVE-2022-41862
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-14/14.7-0ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.7-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.14-0ubuntu0.20.04.1
Related news
Red Hat Security Advisory 2023-7695-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7694-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7667-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7666-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7580-01 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7545-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-4535-01 - PostgreSQL is an advanced object-relational database management system.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
An update for postgresql is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT ...
An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or ...
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.