Headline
RHSA-2023:4313: Red Hat Security Advisory: rh-postgresql12-postgresql security update
An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-2454: A flaw was found in PostgreSQL. Certain database calls could permit an attacker with elevated database-level privileges to execute arbitrary code.
- CVE-2023-2455: A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise forbidden reads and modifications. This only affects databases that have used CREATE POLICY to define a row security policy.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-07-27
Updated:
2023-07-27
RHSA-2023:4313 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: rh-postgresql12-postgresql security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
PostgreSQL is an advanced object-relational database management system (DBMS).
Security Fix(es):
- postgresql: schema_element defeats protective search_path changes (CVE-2023-2454)
- postgresql: row security policies disregard user ID changes after inlining. (CVE-2023-2455)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
If the postgresql service is running, it will be automatically restarted after installing this update.
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 2207568 - CVE-2023-2454 postgresql: schema_element defeats protective search_path changes
- BZ - 2207569 - CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
SRPM
rh-postgresql12-postgresql-12.15-1.el7.src.rpm
SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787
x86_64
rh-postgresql12-postgresql-12.15-1.el7.x86_64.rpm
SHA-256: cefad13560f2e483d4639bc774444b11a849078cc4b6bec4376c2252bbf62235
rh-postgresql12-postgresql-contrib-12.15-1.el7.x86_64.rpm
SHA-256: 1db601acb9e11aa185f01b16498ecaabe9e2e6f48d13965b5895b879df538100
rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.x86_64.rpm
SHA-256: 464ef192a0a46779fe001ef4c009a83869d1d22aeb5484c373f2532a96a0070b
rh-postgresql12-postgresql-debuginfo-12.15-1.el7.x86_64.rpm
SHA-256: 41a82ef4504f7db7859fcfe1de15ceae71c132ea6eeaf3962e6bd1a3767ec244
rh-postgresql12-postgresql-devel-12.15-1.el7.x86_64.rpm
SHA-256: 0c65184f39721b4f80b79a5146186d736744224f713c326a68fce138ff4359da
rh-postgresql12-postgresql-docs-12.15-1.el7.x86_64.rpm
SHA-256: ef31ebfbc24fdab9a9ace857b525d2347e3349fb585bb854af8cfe746ec04b07
rh-postgresql12-postgresql-libs-12.15-1.el7.x86_64.rpm
SHA-256: e78031971b8a3a8b0f5a1af5803942d181809c2bf79eca9569e6f52349d35362
rh-postgresql12-postgresql-plperl-12.15-1.el7.x86_64.rpm
SHA-256: 4fa63a59b180e7447c9470a53c0937a839b5bae29cd2b60b947fee173ff3370a
rh-postgresql12-postgresql-plpython-12.15-1.el7.x86_64.rpm
SHA-256: a5d3e744984ec53e5a6c375fa3ff5fd391d2fe816fcf5846bc4b457b77d8cafb
rh-postgresql12-postgresql-pltcl-12.15-1.el7.x86_64.rpm
SHA-256: 7aed3bfd75cf657601124a9f50957ca355c684a0e6e93ce698ce3b3538f9574f
rh-postgresql12-postgresql-server-12.15-1.el7.x86_64.rpm
SHA-256: 0881d19946117698764dc9ada2a4460bd30e2c12f0d246ec37752de09b8be958
rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.x86_64.rpm
SHA-256: a7ce50c8d4de6bf095c2e82ac900fab48da5c14c600381dcbf1046dc210984ea
rh-postgresql12-postgresql-static-12.15-1.el7.x86_64.rpm
SHA-256: d5527bf0385b9528959d8b09da3d7fa6ce621a5849225b1466fc815ece786e66
rh-postgresql12-postgresql-syspaths-12.15-1.el7.x86_64.rpm
SHA-256: 842e6aecb5f1f09c6e41f1843bd1b4aa33fab582a394c2a85e1201a9951bb065
rh-postgresql12-postgresql-test-12.15-1.el7.x86_64.rpm
SHA-256: d5afbb888bc79293838f63660b6df291f67601a0bb00c78ae52f49de77922785
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
SRPM
rh-postgresql12-postgresql-12.15-1.el7.src.rpm
SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787
s390x
rh-postgresql12-postgresql-12.15-1.el7.s390x.rpm
SHA-256: 44e13171280210672ad289e1fb2b450006d6e49e55a89325b57bf51547ff5fed
rh-postgresql12-postgresql-contrib-12.15-1.el7.s390x.rpm
SHA-256: 291bc83698b851a18714d8fa6c2b331c7510e2c6177d3925e20e4c85c784466b
rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.s390x.rpm
SHA-256: 1753b8ae70e1124e207adf1c63ff5729db305a400f0cd91e21f61f4c2578a476
rh-postgresql12-postgresql-debuginfo-12.15-1.el7.s390x.rpm
SHA-256: 6c563a8f36102c0886c1ae68ce77939c0bce26b48e5d9785b42ee91d8e51c29f
rh-postgresql12-postgresql-devel-12.15-1.el7.s390x.rpm
SHA-256: 26c6193fcfde2d9ba6753e6991dcf387f15b1efbfdcacc5a48e7ad1aaa28f713
rh-postgresql12-postgresql-docs-12.15-1.el7.s390x.rpm
SHA-256: 3b3b5db9e4019190f8db299da24500c4f845a68404dc1e697684f4678b02d347
rh-postgresql12-postgresql-libs-12.15-1.el7.s390x.rpm
SHA-256: 03e510ecd100054cb90693e7935f745f687cf9e5a28b386be20528c174771b72
rh-postgresql12-postgresql-plperl-12.15-1.el7.s390x.rpm
SHA-256: 86ff8c7ff3c8d51a107785d46e287758445bb6d5c5ed97a89618a17b8fe1e775
rh-postgresql12-postgresql-plpython-12.15-1.el7.s390x.rpm
SHA-256: edc15790607bad8ce9f8d1d2c506efe3e16f0195f3d837e45f22c0d10d479fd5
rh-postgresql12-postgresql-pltcl-12.15-1.el7.s390x.rpm
SHA-256: c6ffad9497d680f566024694877465ffc7fc8f9e232adb478fc12a69ac2aab85
rh-postgresql12-postgresql-server-12.15-1.el7.s390x.rpm
SHA-256: bcb1f7d69a0009db76929fb63e16c284a1772ba8c3bc4d693729807f2a1f24a9
rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.s390x.rpm
SHA-256: d437991cdb7de1ea6740ad78150200b790f78f160c910332f5232f3bbff753d9
rh-postgresql12-postgresql-static-12.15-1.el7.s390x.rpm
SHA-256: cf71b67d119095248ec8efbbbbb5da13555187e186c516684e7fe73943bc5bb2
rh-postgresql12-postgresql-syspaths-12.15-1.el7.s390x.rpm
SHA-256: 9d0f1bff12795dc0deee5a1a1b59ed6147a4a041ac565f1e44011ce44a696695
rh-postgresql12-postgresql-test-12.15-1.el7.s390x.rpm
SHA-256: 1f030538fed8229c905331d879ba26fd7db8aaf1f4bb79f14984182c5bb864bd
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
SRPM
rh-postgresql12-postgresql-12.15-1.el7.src.rpm
SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787
ppc64le
rh-postgresql12-postgresql-12.15-1.el7.ppc64le.rpm
SHA-256: 151fe850421c762c955cf77f2876fcccb5b4c1d0d2d5ab9f746242ee16868b2c
rh-postgresql12-postgresql-contrib-12.15-1.el7.ppc64le.rpm
SHA-256: e6e2889706ac25bc73dbe38cbffe27f37a2569ae04e18521032c8f9505c5693c
rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.ppc64le.rpm
SHA-256: 87fe9c123246d0c27409c783a87f59c440049ae02565e4fac0ef2edd6db4b287
rh-postgresql12-postgresql-debuginfo-12.15-1.el7.ppc64le.rpm
SHA-256: 54876de773ccaa115b4ac6348930d18376cba3a4e196992317bf87ddb7e51114
rh-postgresql12-postgresql-devel-12.15-1.el7.ppc64le.rpm
SHA-256: 87cc0f31365ba83b6f986d9cdab4b9f7d454135273cab2c7f773a2adc68d4ef7
rh-postgresql12-postgresql-docs-12.15-1.el7.ppc64le.rpm
SHA-256: 844d9d01dfa5059d4c79cdf47a636d662b697c07969341693432e5a228aaf71a
rh-postgresql12-postgresql-libs-12.15-1.el7.ppc64le.rpm
SHA-256: 8b08a89c18e0c9a5f378d11859ae6a2f0987a6df88a9cf9ae5fe1697f41b298f
rh-postgresql12-postgresql-plperl-12.15-1.el7.ppc64le.rpm
SHA-256: f6dbfdcaf62be4ed6e38c2b7134fd5d4cb0a3d946e9f90e43271e946975af86b
rh-postgresql12-postgresql-plpython-12.15-1.el7.ppc64le.rpm
SHA-256: dba7547b4bf48efac30bb8e935f4dcf022634ac7837bd8dbaa0faf81b9809643
rh-postgresql12-postgresql-pltcl-12.15-1.el7.ppc64le.rpm
SHA-256: 0a4143ea990c82bdb8f8ec8d297331ec0c67566c947b79d3ff109628e422cc5a
rh-postgresql12-postgresql-server-12.15-1.el7.ppc64le.rpm
SHA-256: 479450e5b171fd5f7e6c9a2c38fcbeb4879c58776702a773bbf8a537d64f0d70
rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.ppc64le.rpm
SHA-256: ce403acd02b21c7d2e48661b8c86b1829001590a69f152d1051c17898d1b54e6
rh-postgresql12-postgresql-static-12.15-1.el7.ppc64le.rpm
SHA-256: 36de3a8ccbfc63fccfe6e4573efebd3c8f7046251bc510f0429e75e85b514c74
rh-postgresql12-postgresql-syspaths-12.15-1.el7.ppc64le.rpm
SHA-256: 60b6201a218062fd5d9a0c72f0a7da1bd8070d85fb97b188a8b7bb02d76cf343
rh-postgresql12-postgresql-test-12.15-1.el7.ppc64le.rpm
SHA-256: 3f907e3c27cc2133c326f2195a0ffacf62a1fa77568c3c8995b90f8f5bf7cd14
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
SRPM
rh-postgresql12-postgresql-12.15-1.el7.src.rpm
SHA-256: 19ef3d1a9c83418ba31c80115f5611a62b7188c88ceb0906b6bf8fe5e97a5787
x86_64
rh-postgresql12-postgresql-12.15-1.el7.x86_64.rpm
SHA-256: cefad13560f2e483d4639bc774444b11a849078cc4b6bec4376c2252bbf62235
rh-postgresql12-postgresql-contrib-12.15-1.el7.x86_64.rpm
SHA-256: 1db601acb9e11aa185f01b16498ecaabe9e2e6f48d13965b5895b879df538100
rh-postgresql12-postgresql-contrib-syspaths-12.15-1.el7.x86_64.rpm
SHA-256: 464ef192a0a46779fe001ef4c009a83869d1d22aeb5484c373f2532a96a0070b
rh-postgresql12-postgresql-debuginfo-12.15-1.el7.x86_64.rpm
SHA-256: 41a82ef4504f7db7859fcfe1de15ceae71c132ea6eeaf3962e6bd1a3767ec244
rh-postgresql12-postgresql-devel-12.15-1.el7.x86_64.rpm
SHA-256: 0c65184f39721b4f80b79a5146186d736744224f713c326a68fce138ff4359da
rh-postgresql12-postgresql-docs-12.15-1.el7.x86_64.rpm
SHA-256: ef31ebfbc24fdab9a9ace857b525d2347e3349fb585bb854af8cfe746ec04b07
rh-postgresql12-postgresql-libs-12.15-1.el7.x86_64.rpm
SHA-256: e78031971b8a3a8b0f5a1af5803942d181809c2bf79eca9569e6f52349d35362
rh-postgresql12-postgresql-plperl-12.15-1.el7.x86_64.rpm
SHA-256: 4fa63a59b180e7447c9470a53c0937a839b5bae29cd2b60b947fee173ff3370a
rh-postgresql12-postgresql-plpython-12.15-1.el7.x86_64.rpm
SHA-256: a5d3e744984ec53e5a6c375fa3ff5fd391d2fe816fcf5846bc4b457b77d8cafb
rh-postgresql12-postgresql-pltcl-12.15-1.el7.x86_64.rpm
SHA-256: 7aed3bfd75cf657601124a9f50957ca355c684a0e6e93ce698ce3b3538f9574f
rh-postgresql12-postgresql-server-12.15-1.el7.x86_64.rpm
SHA-256: 0881d19946117698764dc9ada2a4460bd30e2c12f0d246ec37752de09b8be958
rh-postgresql12-postgresql-server-syspaths-12.15-1.el7.x86_64.rpm
SHA-256: a7ce50c8d4de6bf095c2e82ac900fab48da5c14c600381dcbf1046dc210984ea
rh-postgresql12-postgresql-static-12.15-1.el7.x86_64.rpm
SHA-256: d5527bf0385b9528959d8b09da3d7fa6ce621a5849225b1466fc815ece786e66
rh-postgresql12-postgresql-syspaths-12.15-1.el7.x86_64.rpm
SHA-256: 842e6aecb5f1f09c6e41f1843bd1b4aa33fab582a394c2a85e1201a9951bb065
rh-postgresql12-postgresql-test-12.15-1.el7.x86_64.rpm
SHA-256: d5afbb888bc79293838f63660b6df291f67601a0bb00c78ae52f49de77922785
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-7695-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7694-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7667-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7666-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7580-01 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-7545-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-5269-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4539-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4535-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4527-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-4313-01 - PostgreSQL is an advanced object-relational database management system.
Ubuntu Security Notice 6230-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor.
Red Hat Security Advisory 2023-3714-01 - PostgreSQL is an advanced object-relational database management system.
Red Hat Security Advisory 2023-3714-01 - PostgreSQL is an advanced object-relational database management system.
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
Ubuntu Security Notice 6104-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor. Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row security policies. An authenticated user could possibly use this issue to complete otherwise forbidden reads and modifications.
Ubuntu Security Notice 6104-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled certain CREATE privileges. An authenticated user could possibly use this issue to execute arbitrary code as the bootstrap supervisor. Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row security policies. An authenticated user could possibly use this issue to complete otherwise forbidden reads and modifications.
Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.
Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.