Headline
Ubuntu Security Notice USN-6104-1
Ubuntu Security Notice 6104-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor. Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row security policies. An authenticated user could possibly use this issue to complete otherwise forbidden reads and modifications.
==========================================================================
Ubuntu Security Notice USN-6104-1
May 24, 2023
postgresql-10, postgresql-12, postgresql-14, postgresql-15 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
Details:
Alexander Lakhin discovered that PostgreSQL incorrectly handled certain
CREATE privileges. An authenticated user could possibly use this issue to
execute arbitrary code as the bootstrap supervisor. (CVE-2023-2454)
Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row
security policies. An authenticated user could possibly use this issue to
complete otherwise forbidden reads and modifications. (CVE-2023-2455)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
postgresql-15 15.3-0ubuntu0.23.04.1
postgresql-client-15 15.3-0ubuntu0.23.04.1
Ubuntu 22.10:
postgresql-14 14.8-0ubuntu0.22.10.1
postgresql-client-14 14.8-0ubuntu0.22.10.1
Ubuntu 22.04 LTS:
postgresql-14 14.8-0ubuntu0.22.04.1
postgresql-client-14 14.8-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
postgresql-12 12.15-0ubuntu0.20.04.1
postgresql-client-12 12.15-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
postgresql-10 10.23-0ubuntu0.18.04.2
postgresql-client-10 10.23-0ubuntu0.18.04.2
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6104-1
CVE-2023-2454, CVE-2023-2455
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-15/15.3-0ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.8-0ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.8-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.15-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.23-0ubuntu0.18.04.2
Related news
Red Hat Security Advisory 2023-7695-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7694-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7666-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
An issue exists in SoftIron HyperCloud where compute nodes may come online immediately without following the correct initialization process. In this instance, workloads may be scheduled on these nodes and deploy to a failed or erroneous state, which impacts the availability of these workloads that may be deployed during this time window. This issue impacts HyperCloud versions from 2.0.0 to before 2.0.3.
Red Hat Security Advisory 2023-7580-01 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7545-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-5269-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4539-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4535-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4527-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4313-01 - PostgreSQL is an advanced object-relational database management system.
An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2454: A flaw was found in PostgreSQL. Certain database calls could permit an attacker with elevated database-level privileges to execute arbitrary code. * CVE-2023-2455: A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is plan...
Ubuntu Security Notice 6230-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor.
Red Hat Security Advisory 2023-3714-01 - PostgreSQL is an advanced object-relational database management system.
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.
Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.