Headline
Ubuntu Security Notice USN-6656-1
Ubuntu Security Notice 6656-1 - It was discovered that PostgreSQL incorrectly handled dropping privileges when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or automatic system were tricked into running a specially crafted command, a remote attacker could possibly use this issue to execute arbitrary SQL functions.
==========================================================================
Ubuntu Security Notice USN-6656-1
February 26, 2024
postgresql-12, postgresql-14, postgresql-15 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
PostgreSQL could be made to run arbitrary SQL.
Software Description:
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
- postgresql-12: Object-relational SQL database
Details:
It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
postgresql-15 15.6-0ubuntu0.23.10.1
postgresql-client-15 15.6-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
postgresql-14 14.11-0ubuntu0.22.04.1
postgresql-client-14 14.11-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
postgresql-12 12.18-0ubuntu0.20.04.1
postgresql-client-12 12.18-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6656-1
CVE-2024-0985
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-15/15.6-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.11-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.18-0ubuntu0.20.04.1
Related news
Red Hat Security Advisory 2024-1429-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support.
Red Hat Security Advisory 2024-1428-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-1422-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.
Red Hat Security Advisory 2024-1348-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2024-1315-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2024-1241-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-1240-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1195-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-1071-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-1017-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-0992-03 - An update for rh-postgresql10-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0990-03 - An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0988-03 - An update for rh-postgresql13-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0975-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0974-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0973-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0951-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-0950-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.
Debian Linux Security Advisory 5623-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.
Debian Linux Security Advisory 5622-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.