Headline
Debian Security Advisory 5623-1
Debian Linux Security Advisory 5623-1 - It was discovered that a late privilege drop in the “REFRESH MATERIALIZED VIEW CONCURRENTLY” command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Debian Security Advisory DSA-5623-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
February 14, 2024 https://www.debian.org/security/faq
Package : postgresql-15
CVE ID : CVE-2024-0985
It was discovered that a late privilege drop in the “REFRESH MATERIALIZED
VIEW CONCURRENTLY” command could allow an attacker to trick a user with
higher privileges to run SQL commands with these permissions.
For the stable distribution (bookworm), this problem has been fixed in
version 15.6-0+deb12u1.
We recommend that you upgrade your postgresql-15 packages.
For the detailed security status of postgresql-15 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-15
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXNGWEACgkQEMKTtsN8
TjaTTA/9HOtLP5LdqTGsquzchn+w+V3WH/WqapW1lw0FZ6UbihaV5E+v1ssef7ty
Fyr+LsvD7g2gjE6YE+ABGxrYy67rnZWh79TWSK77ReXwzT8Ccz87itxrvUgkVelo
d0fRlQKWPAtlYOgKAEUcflHzATrf9XJmcr8TdCtISVHAn7kWpdv+kwWUrvp7ZAVm
Q1rBvTMZKPkP6GRvrSii51FlKaPa8JFmdu9LIPy1WR/ynipxdx3wn/R+hmZ2SHFN
18KmBd5vAmG8WyvYWGrWx2IntguW0oqC6Lo9pdqgsbC3Uve8RnGfnqP+tLwsB44Q
82C7uOX3EGDJEAonMXSrgu3jO1v9rjfHF0Gh2Ji6TNmqXwx4bxsMWC6qgqKap4mS
Y0htECp9juezF9/aaT5zKMynXOpF7U0YmWU5uNW83PZNHJvULYof3SjHvqfnAL6Z
ZxA5TYcAvm2xD/FFsjzJiLC+hDTCD/nm1R6W/em0qWL7EKhifJFUGjSo5GT8jtc/
d3dLHPEXAk/SLeXtnSvLmsHIM3T+hl7cmWl37D4tg3XvyztgGC1Blbama81bTAEO
uj0/ZE+UiMJC2ORywlJljlTlgbaHljBwc3S+H6vaPIDOstDtZLZf46o/x/A2fC97
Pe59M7w8Salwdp7HZTOIkhFz4cdyMKMb/yd/3jZN9M2jdj6KVao=suSm
-----END PGP SIGNATURE-----
Related news
Red Hat Security Advisory 2024-1429-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support.
Red Hat Security Advisory 2024-1428-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-1422-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.
Red Hat Security Advisory 2024-1348-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2024-1315-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Ubuntu Security Notice 6656-2 - USN-6656-1 fixed several vulnerabilities in PostgreSQL. This update provides the corresponding updates for Ubuntu 16.04 LTS It was discovered that PostgreSQL incorrectly handled dropping privileges when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or automatic system were tricked into running a specially crafted command, a remote attacker could possibly use this issue to execute arbitrary SQL functions.
Red Hat Security Advisory 2024-1195-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-1071-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-1017-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Ubuntu Security Notice 6656-1 - It was discovered that PostgreSQL incorrectly handled dropping privileges when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or automatic system were tricked into running a specially crafted command, a remote attacker could possibly use this issue to execute arbitrary SQL functions.
Red Hat Security Advisory 2024-0992-03 - An update for rh-postgresql10-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0990-03 - An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0988-03 - An update for rh-postgresql13-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0975-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0974-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0973-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0951-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-0950-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.
Debian Linux Security Advisory 5622-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.