Headline
Red Hat Security Advisory 2023-0113-01
Red Hat Security Advisory 2023-0113-01 - PostgreSQL is an advanced object-relational database management system.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: postgresql:10 security update
Advisory ID: RHSA-2023:0113-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0113
Issue date: 2023-01-12
CVE Names: CVE-2022-2625
=====================================================================
- Summary:
An update for the postgresql:10 module is now available for Red Hat
Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
PostgreSQL is an advanced object-relational database management system
(DBMS).
Security Fix(es):
- postgresql: Extension scripts replace objects not belonging to the
extension. (CVE-2022-2625)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
If the postgresql service is running, it will be automatically restarted
after installing this update.
- Bugs fixed (https://bugzilla.redhat.com/):
2113825 - CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.src.rpm
aarch64:
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm
ppc64le:
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm
s390x:
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm
x86_64:
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-2625
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY7/i99zjgjWX9erEAQiXbA//WFJNDVuYD112PQg6wO+FY9ee3L4eDa7x
XIuCvIpVe6MxugA85cM0/h6NyvsUM7PyZC0aH/QU2uN2yDVgYr39xLNexocHvxAR
EFiJOZhK+24uBxc9bfm+jVNqtbVOjkzhScUwjNtP5W4QZbBxzgPPTb0Ybzd9ixvk
GV8DifcjfX1edlBCqV78Hx1P1ISSMipKeTs5HtHsAZ4uK53anrdqZASe2yVy/FVr
D/s1DeKfWh/AF/6w5JNWB+MWgsQzOnoXH25agzJAE91+uewLk1XWIm3ky7efSYny
2QwuNCseR5IL1rdaSCgIZY1+khyc1qMk9MxRUs54bJzWi8OMJXvsN08I8gsngrxV
Nf27NQfMx9KjIkMo/+cV93rWHzhsjzM0uNb1CrJvBNtr5xWfIsD4vTiSJIP91hpY
hBqo8+1pI6Wo66dQkrLDrSo7gdmcLegE56GEAZtwEMPyraXcvb5qToM4OVW8kiVE
4Kw7CGodi864kesB6ZCKPY7vr68/OjOkWhvbqtbQ1D9kz1UvzRMAAF0meP5fA//s
PLidab430BWeGd1UagqkQVVBSZ+TTD+oOJwIb+dJBTYpZnEkIuNe4h7eHFW1PTLn
dCR2CI6UsDUzMPS6bjklqaGEFxCLZpn2c7xzyKhcvOwmhEJEm0UWIAZZNk5ip4b0
C67oezmmLbg=
=GaKj
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-7695-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7694-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7580-01 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7545-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
An update for postgresql is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT ...
An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or ...
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2023-0160-01 - PostgreSQL is an advanced object-relational database management system.
An update for rh-postgresql10-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: postgresql: Extension scripts replace objects not belonging to the extension.
An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: postgresql: Extension scripts replace objects not belonging to the extension.
Gentoo Linux Security Advisory 202211-4 - Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in remote code execution. Versions greater than or equal to 10.22:10 are affected.
An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2625: postgresql: Extension scripts replace objects not belonging to the extension.
Ubuntu Security Notice 5571-1 - Sven Klemm discovered that PostgreSQL incorrectly handled extensions. An attacker could possibly use this issue to execute arbitrary code when extensions are created or updated.
A vulnerability found in postgresql. On this security issue an attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there's no need to modify individual extensions.
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.