Headline
Ubuntu Security Notice USN-6656-2
Ubuntu Security Notice 6656-2 - USN-6656-1 fixed several vulnerabilities in PostgreSQL. This update provides the corresponding updates for Ubuntu 16.04 LTS It was discovered that PostgreSQL incorrectly handled dropping privileges when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or automatic system were tricked into running a specially crafted command, a remote attacker could possibly use this issue to execute arbitrary SQL functions.
==========================================================================
Ubuntu Security Notice USN-6656-2
March 12, 2024
postgresql-9.5 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
PostgreSQL could be made to run arbitrary SQL.
Software Description:
- postgresql-9.5: Object-relational SQL database
Details:
USN-6656-1 fixed several vulnerabilities in PostgreSQL. This update provides
the corresponding updates for Ubuntu 16.04 LTS
Original advisory details:
It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
postgresql-9.5 9.5.25-0ubuntu0.16.04.1+esm7
postgresql-client-9.5 9.5.25-0ubuntu0.16.04.1+esm7
After a standard system update you need to restart PostgreSQL to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6656-2
https://ubuntu.com/security/notices/USN-6656-1
CVE-2024-0985
Related news
Red Hat Security Advisory 2024-1429-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support.
Red Hat Security Advisory 2024-1428-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-1422-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.
Red Hat Security Advisory 2024-1348-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2024-1314-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-1241-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-1240-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1195-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-1071-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-0992-03 - An update for rh-postgresql10-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0988-03 - An update for rh-postgresql13-postgresql is now available for Red Hat Software Collections.
Red Hat Security Advisory 2024-0975-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0974-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0973-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0950-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.
Debian Linux Security Advisory 5623-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.
Debian Linux Security Advisory 5622-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.