Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4313: Red Hat Security Advisory: rh-postgresql12-postgresql security update

An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-2454: A flaw was found in PostgreSQL. Certain database calls could permit an attacker with elevated database-level privileges to execute arbitrary code.
  • CVE-2023-2455: A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise forbidden reads and modifications. This only affects databases that have used CREATE POLICY to define a row security policy.
Red Hat Security Data
#sql#vulnerability#web#linux#red_hat#nodejs#js#kubernetes#perl#aws#ibm#postgres

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-07-27

Updated:

2023-07-27

RHSA-2023:4313 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: rh-postgresql12-postgresql security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

  • postgresql: schema_element defeats protective search_path changes (CVE-2023-2454)
  • postgresql: row security policies disregard user ID changes after inlining. (CVE-2023-2455)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update.

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

  • BZ - 2207568 - CVE-2023-2454 postgresql: schema_element defeats protective search_path changes
  • BZ - 2207569 - CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining.

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM

rh-postgresql12-postgresql-12.15-1.el7.src.rpm

SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787

x86_64

rh-postgresql12-postgresql-12.15-1.el7.x86_64.rpm

SHA-256: cefad13560f2e483d4639bc774444b11a849078cc4b6bec4376c2252bbf62235

rh-postgresql12-postgresql-contrib-12.15-1.el7.x86_64.rpm

SHA-256: 1db601acb9e11aa185f01b16498ecaabe9e2e6f48d13965b5895b879df538100

rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.x86_64.rpm

SHA-256: 464ef192a0a46779fe001ef4c009a83869d1d22aeb5484c373f2532a96a0070b

rh-postgresql12-postgresql-debuginfo-12.15-1.el7.x86_64.rpm

SHA-256: 41a82ef4504f7db7859fcfe1de15ceae71c132ea6eeaf3962e6bd1a3767ec244

rh-postgresql12-postgresql-devel-12.15-1.el7.x86_64.rpm

SHA-256: 0c65184f39721b4f80b79a5146186d736744224f713c326a68fce138ff4359da

rh-postgresql12-postgresql-docs-12.15-1.el7.x86_64.rpm

SHA-256: ef31ebfbc24fdab9a9ace857b525d2347e3349fb585bb854af8cfe746ec04b07

rh-postgresql12-postgresql-libs-12.15-1.el7.x86_64.rpm

SHA-256: e78031971b8a3a8b0f5a1af5803942d181809c2bf79eca9569e6f52349d35362

rh-postgresql12-postgresql-plperl-12.15-1.el7.x86_64.rpm

SHA-256: 4fa63a59b180e7447c9470a53c0937a839b5bae29cd2b60b947fee173ff3370a

rh-postgresql12-postgresql-plpython-12.15-1.el7.x86_64.rpm

SHA-256: a5d3e744984ec53e5a6c375fa3ff5fd391d2fe816fcf5846bc4b457b77d8cafb

rh-postgresql12-postgresql-pltcl-12.15-1.el7.x86_64.rpm

SHA-256: 7aed3bfd75cf657601124a9f50957ca355c684a0e6e93ce698ce3b3538f9574f

rh-postgresql12-postgresql-server-12.15-1.el7.x86_64.rpm

SHA-256: 0881d19946117698764dc9ada2a4460bd30e2c12f0d246ec37752de09b8be958

rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.x86_64.rpm

SHA-256: a7ce50c8d4de6bf095c2e82ac900fab48da5c14c600381dcbf1046dc210984ea

rh-postgresql12-postgresql-static-12.15-1.el7.x86_64.rpm

SHA-256: d5527bf0385b9528959d8b09da3d7fa6ce621a5849225b1466fc815ece786e66

rh-postgresql12-postgresql-syspaths-12.15-1.el7.x86_64.rpm

SHA-256: 842e6aecb5f1f09c6e41f1843bd1b4aa33fab582a394c2a85e1201a9951bb065

rh-postgresql12-postgresql-test-12.15-1.el7.x86_64.rpm

SHA-256: d5afbb888bc79293838f63660b6df291f67601a0bb00c78ae52f49de77922785

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM

rh-postgresql12-postgresql-12.15-1.el7.src.rpm

SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787

s390x

rh-postgresql12-postgresql-12.15-1.el7.s390x.rpm

SHA-256: 44e13171280210672ad289e1fb2b450006d6e49e55a89325b57bf51547ff5fed

rh-postgresql12-postgresql-contrib-12.15-1.el7.s390x.rpm

SHA-256: 291bc83698b851a18714d8fa6c2b331c7510e2c6177d3925e20e4c85c784466b

rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.s390x.rpm

SHA-256: 1753b8ae70e1124e207adf1c63ff5729db305a400f0cd91e21f61f4c2578a476

rh-postgresql12-postgresql-debuginfo-12.15-1.el7.s390x.rpm

SHA-256: 6c563a8f36102c0886c1ae68ce77939c0bce26b48e5d9785b42ee91d8e51c29f

rh-postgresql12-postgresql-devel-12.15-1.el7.s390x.rpm

SHA-256: 26c6193fcfde2d9ba6753e6991dcf387f15b1efbfdcacc5a48e7ad1aaa28f713

rh-postgresql12-postgresql-docs-12.15-1.el7.s390x.rpm

SHA-256: 3b3b5db9e4019190f8db299da24500c4f845a68404dc1e697684f4678b02d347

rh-postgresql12-postgresql-libs-12.15-1.el7.s390x.rpm

SHA-256: 03e510ecd100054cb90693e7935f745f687cf9e5a28b386be20528c174771b72

rh-postgresql12-postgresql-plperl-12.15-1.el7.s390x.rpm

SHA-256: 86ff8c7ff3c8d51a107785d46e287758445bb6d5c5ed97a89618a17b8fe1e775

rh-postgresql12-postgresql-plpython-12.15-1.el7.s390x.rpm

SHA-256: edc15790607bad8ce9f8d1d2c506efe3e16f0195f3d837e45f22c0d10d479fd5

rh-postgresql12-postgresql-pltcl-12.15-1.el7.s390x.rpm

SHA-256: c6ffad9497d680f566024694877465ffc7fc8f9e232adb478fc12a69ac2aab85

rh-postgresql12-postgresql-server-12.15-1.el7.s390x.rpm

SHA-256: bcb1f7d69a0009db76929fb63e16c284a1772ba8c3bc4d693729807f2a1f24a9

rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.s390x.rpm

SHA-256: d437991cdb7de1ea6740ad78150200b790f78f160c910332f5232f3bbff753d9

rh-postgresql12-postgresql-static-12.15-1.el7.s390x.rpm

SHA-256: cf71b67d119095248ec8efbbbbb5da13555187e186c516684e7fe73943bc5bb2

rh-postgresql12-postgresql-syspaths-12.15-1.el7.s390x.rpm

SHA-256: 9d0f1bff12795dc0deee5a1a1b59ed6147a4a041ac565f1e44011ce44a696695

rh-postgresql12-postgresql-test-12.15-1.el7.s390x.rpm

SHA-256: 1f030538fed8229c905331d879ba26fd7db8aaf1f4bb79f14984182c5bb864bd

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM

rh-postgresql12-postgresql-12.15-1.el7.src.rpm

SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787

ppc64le

rh-postgresql12-postgresql-12.15-1.el7.ppc64le.rpm

SHA-256: 151fe850421c762c955cf77f2876fcccb5b4c1d0d2d5ab9f746242ee16868b2c

rh-postgresql12-postgresql-contrib-12.15-1.el7.ppc64le.rpm

SHA-256: e6e2889706ac25bc73dbe38cbffe27f37a2569ae04e18521032c8f9505c5693c

rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.ppc64le.rpm

SHA-256: 87fe9c123246d0c27409c783a87f59c440049ae02565e4fac0ef2edd6db4b287

rh-postgresql12-postgresql-debuginfo-12.15-1.el7.ppc64le.rpm

SHA-256: 54876de773ccaa115b4ac6348930d18376cba3a4e196992317bf87ddb7e51114

rh-postgresql12-postgresql-devel-12.15-1.el7.ppc64le.rpm

SHA-256: 87cc0f31365ba83b6f986d9cdab4b9f7d454135273cab2c7f773a2adc68d4ef7

rh-postgresql12-postgresql-docs-12.15-1.el7.ppc64le.rpm

SHA-256: 844d9d01dfa5059d4c79cdf47a636d662b697c07969341693432e5a228aaf71a

rh-postgresql12-postgresql-libs-12.15-1.el7.ppc64le.rpm

SHA-256: 8b08a89c18e0c9a5f378d11859ae6a2f0987a6df88a9cf9ae5fe1697f41b298f

rh-postgresql12-postgresql-plperl-12.15-1.el7.ppc64le.rpm

SHA-256: f6dbfdcaf62be4ed6e38c2b7134fd5d4cb0a3d946e9f90e43271e946975af86b

rh-postgresql12-postgresql-plpython-12.15-1.el7.ppc64le.rpm

SHA-256: dba7547b4bf48efac30bb8e935f4dcf022634ac7837bd8dbaa0faf81b9809643

rh-postgresql12-postgresql-pltcl-12.15-1.el7.ppc64le.rpm

SHA-256: 0a4143ea990c82bdb8f8ec8d297331ec0c67566c947b79d3ff109628e422cc5a

rh-postgresql12-postgresql-server-12.15-1.el7.ppc64le.rpm

SHA-256: 479450e5b171fd5f7e6c9a2c38fcbeb4879c58776702a773bbf8a537d64f0d70

rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.ppc64le.rpm

SHA-256: ce403acd02b21c7d2e48661b8c86b1829001590a69f152d1051c17898d1b54e6

rh-postgresql12-postgresql-static-12.15-1.el7.ppc64le.rpm

SHA-256: 36de3a8ccbfc63fccfe6e4573efebd3c8f7046251bc510f0429e75e85b514c74

rh-postgresql12-postgresql-syspaths-12.15-1.el7.ppc64le.rpm

SHA-256: 60b6201a218062fd5d9a0c72f0a7da1bd8070d85fb97b188a8b7bb02d76cf343

rh-postgresql12-postgresql-test-12.15-1.el7.ppc64le.rpm

SHA-256: 3f907e3c27cc2133c326f2195a0ffacf62a1fa77568c3c8995b90f8f5bf7cd14

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM

rh-postgresql12-postgresql-12.15-1.el7.src.rpm

SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787

x86_64

rh-postgresql12-postgresql-12.15-1.el7.x86_64.rpm

SHA-256: cefad13560f2e483d4639bc774444b11a849078cc4b6bec4376c2252bbf62235

rh-postgresql12-postgresql-contrib-12.15-1.el7.x86_64.rpm

SHA-256: 1db601acb9e11aa185f01b16498ecaabe9e2e6f48d13965b5895b879df538100

rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.x86_64.rpm

SHA-256: 464ef192a0a46779fe001ef4c009a83869d1d22aeb5484c373f2532a96a0070b

rh-postgresql12-postgresql-debuginfo-12.15-1.el7.x86_64.rpm

SHA-256: 41a82ef4504f7db7859fcfe1de15ceae71c132ea6eeaf3962e6bd1a3767ec244

rh-postgresql12-postgresql-devel-12.15-1.el7.x86_64.rpm

SHA-256: 0c65184f39721b4f80b79a5146186d736744224f713c326a68fce138ff4359da

rh-postgresql12-postgresql-docs-12.15-1.el7.x86_64.rpm

SHA-256: ef31ebfbc24fdab9a9ace857b525d2347e3349fb585bb854af8cfe746ec04b07

rh-postgresql12-postgresql-libs-12.15-1.el7.x86_64.rpm

SHA-256: e78031971b8a3a8b0f5a1af5803942d181809c2bf79eca9569e6f52349d35362

rh-postgresql12-postgresql-plperl-12.15-1.el7.x86_64.rpm

SHA-256: 4fa63a59b180e7447c9470a53c0937a839b5bae29cd2b60b947fee173ff3370a

rh-postgresql12-postgresql-plpython-12.15-1.el7.x86_64.rpm

SHA-256: a5d3e744984ec53e5a6c375fa3ff5fd391d2fe816fcf5846bc4b457b77d8cafb

rh-postgresql12-postgresql-pltcl-12.15-1.el7.x86_64.rpm

SHA-256: 7aed3bfd75cf657601124a9f50957ca355c684a0e6e93ce698ce3b3538f9574f

rh-postgresql12-postgresql-server-12.15-1.el7.x86_64.rpm

SHA-256: 0881d19946117698764dc9ada2a4460bd30e2c12f0d246ec37752de09b8be958

rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.x86_64.rpm

SHA-256: a7ce50c8d4de6bf095c2e82ac900fab48da5c14c600381dcbf1046dc210984ea

rh-postgresql12-postgresql-static-12.15-1.el7.x86_64.rpm

SHA-256: d5527bf0385b9528959d8b09da3d7fa6ce621a5849225b1466fc815ece786e66

rh-postgresql12-postgresql-syspaths-12.15-1.el7.x86_64.rpm

SHA-256: 842e6aecb5f1f09c6e41f1843bd1b4aa33fab582a394c2a85e1201a9951bb065

rh-postgresql12-postgresql-test-12.15-1.el7.x86_64.rpm

SHA-256: d5afbb888bc79293838f63660b6df291f67601a0bb00c78ae52f49de77922785

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-7695-03

Red Hat Security Advisory 2023-7695-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-7694-03

Red Hat Security Advisory 2023-7694-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-7667-03

Red Hat Security Advisory 2023-7667-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-7666-03

Red Hat Security Advisory 2023-7666-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-7580-01

Red Hat Security Advisory 2023-7580-01 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-7545-01

Red Hat Security Advisory 2023-7545-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-5269-01

Red Hat Security Advisory 2023-5269-01 - PostgreSQL is an advanced object-relational database management system.

Red Hat Security Advisory 2023-4539-01

Red Hat Security Advisory 2023-4539-01 - PostgreSQL is an advanced object-relational database management system.

Red Hat Security Advisory 2023-4535-01

Red Hat Security Advisory 2023-4535-01 - PostgreSQL is an advanced object-relational database management system.

Red Hat Security Advisory 2023-4527-01

Red Hat Security Advisory 2023-4527-01 - PostgreSQL is an advanced object-relational database management system.

Red Hat Security Advisory 2023-4313-01

Red Hat Security Advisory 2023-4313-01 - PostgreSQL is an advanced object-relational database management system.

Ubuntu Security Notice USN-6230-1

Ubuntu Security Notice 6230-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor.

Red Hat Security Advisory 2023-3714-01

Red Hat Security Advisory 2023-3714-01 - PostgreSQL is an advanced object-relational database management system.

Red Hat Security Advisory 2023-3714-01

Red Hat Security Advisory 2023-3714-01 - PostgreSQL is an advanced object-relational database management system.

CVE-2023-2455: cve-details

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

CVE-2023-2454: cve-details

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.

Ubuntu Security Notice USN-6104-1

Ubuntu Security Notice 6104-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor. Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row security policies. An authenticated user could possibly use this issue to complete otherwise forbidden reads and modifications.

Ubuntu Security Notice USN-6104-1

Ubuntu Security Notice 6104-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor. Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row security policies. An authenticated user could possibly use this issue to complete otherwise forbidden reads and modifications.

Debian Security Advisory 5401-1

Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.

Debian Security Advisory 5401-1

Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.