Headline
Red Hat Security Advisory 2023-4535-01
Red Hat Security Advisory 2023-4535-01 - PostgreSQL is an advanced object-relational database management system.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: postgresql:12 security update
Advisory ID: RHSA-2023:4535-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4535
Issue date: 2023-08-08
CVE Names: CVE-2022-41862 CVE-2023-2454 CVE-2023-2455
=====================================================================
- Summary:
An update for the postgresql:12 module is now available for Red Hat
Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
- Description:
PostgreSQL is an advanced object-relational database management system
(DBMS).
Security Fix(es):
postgresql: schema_element defeats protective search_path changes
(CVE-2023-2454)postgresql: row security policies disregard user ID changes after
inlining. (CVE-2023-2455)postgresql: Client memory disclosure when connecting with Kerberos to
modified server (CVE-2022-41862)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
If the postgresql service is running, it will be automatically restarted
after installing this update.
- Bugs fixed (https://bugzilla.redhat.com/):
2165722 - CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server
2207568 - CVE-2023-2454 postgresql: schema_element defeats protective search_path changes
2207569 - CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining.
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.src.rpm
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.src.rpm
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.src.rpm
postgresql-12.15-1.module+el8.8.0+19427+d1071523.src.rpm
aarch64:
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm
postgresql-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-contrib-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-contrib-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-debugsource-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-docs-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-docs-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-plperl-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-plperl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-plpython3-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-plpython3-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-pltcl-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-pltcl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-server-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-server-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-server-devel-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-server-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-static-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-test-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-test-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-upgrade-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-upgrade-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-upgrade-devel-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
postgresql-upgrade-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.aarch64.rpm
noarch:
postgresql-test-rpm-macros-12.15-1.module+el8.8.0+19427+d1071523.noarch.rpm
ppc64le:
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm
postgresql-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-contrib-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-contrib-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-debugsource-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-docs-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-docs-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-plperl-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-plperl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-plpython3-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-plpython3-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-pltcl-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-pltcl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-server-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-server-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-server-devel-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-server-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-static-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-test-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-test-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-upgrade-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-upgrade-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-upgrade-devel-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
postgresql-upgrade-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.ppc64le.rpm
s390x:
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm
postgresql-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-contrib-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-contrib-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-debugsource-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-docs-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-docs-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-plperl-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-plperl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-plpython3-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-plpython3-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-pltcl-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-pltcl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-server-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-server-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-server-devel-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-server-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-static-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-test-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-test-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-upgrade-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-upgrade-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-upgrade-devel-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
postgresql-upgrade-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.s390x.rpm
x86_64:
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm
postgresql-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-contrib-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-contrib-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-debugsource-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-docs-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-docs-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-plperl-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-plperl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-plpython3-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-plpython3-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-pltcl-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-pltcl-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-server-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-server-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-server-devel-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-server-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-static-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-test-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-test-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-upgrade-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-upgrade-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-upgrade-devel-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
postgresql-upgrade-devel-debuginfo-12.15-1.module+el8.8.0+19427+d1071523.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-41862
https://access.redhat.com/security/cve/CVE-2023-2454
https://access.redhat.com/security/cve/CVE-2023-2455
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJk0k9CAAoJENzjgjWX9erEE1sP+wTqIUW8IoSarpOGvtnKOyF2
bi5RtyUYPYuhIqaKCK2UsPG3nDm22Icm+BGg4DlyVKm7nDNOEqn9zZ5yVIhhdj6u
Y3XgfCQ73qIp4S5Kk2/EamjkW+qApav//KwvtYsAKnRSdehnsoPITXyrP6CvNecq
nDstngk4YXYZmSSWf9+G4qcrW2KYE9ZXb3Y9neDlps+tllMHtCkDll/yovbCsDAl
TmvUC/rspIlQT0ORUtzbDF6UxbxRNObshQb8eIv/5dEEFi0vhpaBHSEc02qkAmwt
YEUK6PmOuMnG+t2MmY9qU2JIAWIolhj1mrW+9t0QEtQwnRe3WAdC/u6L6Y8A+Vaq
su0qGiDIzxucA9GEZaLEwcgFF0oHQGy1bAlosmrfd72J22c1CrGLhUalHX48OC/K
Uvi1hQjtldMkfjPPcFf1HAQQxdHdmPciYfAGK4cNQtSN2BDTxmXbqZ88MI/K40OZ
ljQ33r0vAY5JT92wK9H2ywPPua8hvyfwPx3kCRWjkyJRi+pYUlmDMFfnl0bRQPdF
Kg82S2EgDFm1UJ5+FKQYsG1DiWrpyKn5A2QaNzTdJRSHME7y2AwlrDWyYZs8RRPT
UMURHrR5A5m0PLrdBTCfHb9HntQ2llqqdzGnD18AcU/gAUBxWfTSR9Xwa9g4QVHQ
rsj1k41v/v4CYSXYiSOq
=VOC5
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-7695-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7694-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7667-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7666-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
An issue exists in SoftIron HyperCloud where compute nodes may come online immediately without following the correct initialization process. In this instance, workloads may be scheduled on these nodes and deploy to a failed or erroneous state, which impacts the availability of these workloads that may be deployed during this time window. This issue impacts HyperCloud versions from 2.0.0 to before 2.0.3.
Red Hat Security Advisory 2023-7580-01 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7545-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-5269-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4539-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4539-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4527-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4313-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4313-01 - PostgreSQL is an advanced object-relational database management system.
An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2454: A flaw was found in PostgreSQL. Certain database calls could permit an attacker with elevated database-level privileges to execute arbitrary code. * CVE-2023-2455: A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is plan...
An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2454: A flaw was found in PostgreSQL. Certain database calls could permit an attacker with elevated database-level privileges to execute arbitrary code. * CVE-2023-2455: A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is plan...
Ubuntu Security Notice 6230-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Red Hat Security Advisory 2023-3714-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-3714-01 - PostgreSQL is an advanced object-relational database management system.
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
Ubuntu Security Notice 6104-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor. Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row security policies. An authenticated user could possibly use this issue to complete otherwise forbidden reads and modifications.
Ubuntu Security Notice 6104-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor. Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row security policies. An authenticated user could possibly use this issue to complete otherwise forbidden reads and modifications.
Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.
Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.
An update for postgresql is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT ...
An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or ...
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Ubuntu Security Notice 5906-1 - Jacob Champion discovered that the PostgreSQL client incorrectly handled Kerberos authentication. If a user or automated system were tricked into connecting to a malicious server, a remote attacker could possibly use this issue to obtain sensitive information.