Headline
Red Hat Security Advisory 2023-0160-01
Red Hat Security Advisory 2023-0160-01 - PostgreSQL is an advanced object-relational database management system.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: rh-postgresql10-postgresql security and bug fix update
Advisory ID: RHSA-2023:0160-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0160
Issue date: 2023-01-12
CVE Names: CVE-2022-2625
=====================================================================
- Summary:
An update for rh-postgresql10-postgresql is now available for Red Hat
Software Collections.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
- Description:
PostgreSQL is an advanced object-relational database management system
(DBMS).
The following packages have been upgraded to a later upstream version:
rh-postgresql10-postgresql (10.23).
Security Fix(es):
- postgresql: Extension scripts replace objects not belonging to the
extension. (CVE-2022-2625)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
- rh-postgresql10-postgresql: Update to the latest PostgreSQL version 10.23
(BZ#2157611)
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
If the postgresql service is running, it will be automatically restarted
after installing this update.
- Bugs fixed (https://bugzilla.redhat.com/):
2113825 - CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.
2157611 - rh-postgresql10-postgresql: Update to the latest PostgreSQL version 10.23 [rhscl-3.8.z]
- Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-postgresql10-postgresql-10.23-1.el7.src.rpm
ppc64le:
rh-postgresql10-postgresql-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-contrib-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-contrib-syspaths-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-debuginfo-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-devel-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-docs-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-libs-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-plperl-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-plpython-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-pltcl-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-server-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-server-syspaths-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-static-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-syspaths-10.23-1.el7.ppc64le.rpm
rh-postgresql10-postgresql-test-10.23-1.el7.ppc64le.rpm
s390x:
rh-postgresql10-postgresql-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-contrib-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-contrib-syspaths-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-debuginfo-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-devel-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-docs-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-libs-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-plperl-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-plpython-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-pltcl-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-server-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-server-syspaths-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-static-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-syspaths-10.23-1.el7.s390x.rpm
rh-postgresql10-postgresql-test-10.23-1.el7.s390x.rpm
x86_64:
rh-postgresql10-postgresql-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-contrib-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-contrib-syspaths-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-debuginfo-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-devel-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-docs-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-libs-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-plperl-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-plpython-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-pltcl-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-server-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-server-syspaths-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-static-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-syspaths-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-test-10.23-1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-postgresql10-postgresql-10.23-1.el7.src.rpm
x86_64:
rh-postgresql10-postgresql-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-contrib-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-contrib-syspaths-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-debuginfo-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-devel-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-docs-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-libs-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-plperl-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-plpython-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-pltcl-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-server-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-server-syspaths-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-static-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-syspaths-10.23-1.el7.x86_64.rpm
rh-postgresql10-postgresql-test-10.23-1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-2625
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY8A2kNzjgjWX9erEAQjivg/+KpxDuFgmrVStMcbCKvPW3o+DOdp+COkk
lD/fgU0+Q4YYeeOMm6DC9bd6hxV3SAozySBxEuvPR4Y6Mgz5XGIP+Z+10YVceK1s
UcGtaZKN6PsMVqqWWDpCz8JFio9hdOPI8Gw2SbnOtb1knBbGHW8zdt+3xp+vRdg8
168L57Ng3HIXo5bPObZFYa5M//Qxs5NpqVI5M4vJbwGhMAMRxTy4ttvuQX98dp7+
GosAZSKnZRSs3Kfgv91dDBxEdAXqIwutuTmgewpgOJl2uOuRSgdf6O4Iys3gcB9P
wUL3WyNnW3g056yf4qtrUHCYW8e9nryj8dv10spmSpbD/56t3gxeapTtMmUTxZoZ
S0itLTdhAeUsF3kwXtOehm5N3Kn57tQpbrgWjpfuri26P5ZUylO8XpnEZVXUV6/3
Hh5EZFTNWGgdFV2EGkUDJVkpBMlqxHrAgLKBFTJvpjJ6rGvAInJUbLa51oKQPyS2
DVW+RN29ASmUMz0tEf+zxpJ21NqkogD8G+RXxzadj9dxR7h3FoO2uEGxIQ/wpBNN
pvS6jHigVdTymnR2V7x4JEAxAgRkpLRKUHiCcBZw+epLiS+jUGWVRESWVq6JDpwi
yYuhaSo02TMjDUkF9HEOsAAwJRU2LWzoLAy1QrusolBZP+lDP/LhT6lDwhzoUPwl
BsDBF74jGFk=
=5LSM
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-7694-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7667-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7545-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
An update for postgresql is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT ...
An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or ...
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2023-0113-01 - PostgreSQL is an advanced object-relational database management system.
An update for rh-postgresql10-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: postgresql: Extension scripts replace objects not belonging to the extension.
An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: postgresql: Extension scripts replace objects not belonging to the extension.
Gentoo Linux Security Advisory 202211-4 - Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in remote code execution. Versions greater than or equal to 10.22:10 are affected.
An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: postgresql: Extension scripts replace objects not belonging to the extension.
Ubuntu Security Notice 5571-1 - Sven Klemm discovered that PostgreSQL incorrectly handled extensions. An attacker could possibly use this issue to execute arbitrary code when extensions are created or updated.
A vulnerability found in postgresql. On this security issue an attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there's no need to modify individual extensions.
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.