rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7

エラータID: AXSA:2020-947:01

Release date: 
Tuesday, November 24, 2020 - 13:43
Subject: 
rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-postgresql12-postgresql (12.4).

Security Fix(es):

* postgresql: Uncontrolled search path element in logical replication (CVE-2020-14349)

* postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350)

* postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-14349
It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.
CVE-2020-14350
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
CVE-2020-1720
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7.src.rpm
    MD5: 8cb87a66e440c248df688a8f875d7b32
    SHA-256: 4849833761655c695a5aaf74159d155fd4f803ccd208bff360a4f9be38242314
    Size: 27.25 MB

Asianux Server 7 for x86_64
  1. rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 7e420af67dce1a6f8fd2d04396cdedc4
    SHA-256: b141595458e24b4255e474a8bdea0fced3f281c2a8729fb2d03fc2910714e20a
    Size: 1.45 MB
  2. rh-postgresql12-postgresql-contrib-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: c0ea4ce216fdd87a283ab0f2af15c25c
    SHA-256: 78572d156adec786371f668af4ab8463760106d73c919cc2c634d9905f14f485
    Size: 826.22 kB
  3. rh-postgresql12-postgresql-contrib-syspaths-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 395094ab94c5b0a1034391c241caa9d0
    SHA-256: cdcab6fa1cec760fc3d9796143629f137c0980e81f51cba3f1aa79fc5639e73e
    Size: 41.33 kB
  4. rh-postgresql12-postgresql-devel-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 575ff40d39dd6aee1b11e6df08e3fcbc
    SHA-256: a8ab3f6132bf28a40fa0015a1fbaa7bab8a74b5455603754a07fbec140f4e1fe
    Size: 1.36 MB
  5. rh-postgresql12-postgresql-docs-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 0ac61aa376d311e8680d17e83ca7f5ae
    SHA-256: 86835657775e5229287933556f675c3a279af37c3e2114cc7fd9526cbfb10c01
    Size: 9.39 MB
  6. rh-postgresql12-postgresql-libs-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: c10b5b3456a6dab1a8bccd78c478ac99
    SHA-256: 2fd6527a2c3d743af25617c941f3fd3f1f7472110a3ac93942e507af25106d0b
    Size: 307.40 kB
  7. rh-postgresql12-postgresql-plperl-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 98f7843780331d1285434796de90b662
    SHA-256: 541a6e3512cb7e78aab6c347def3512fb0623648a21f91df51002572586d32b5
    Size: 93.64 kB
  8. rh-postgresql12-postgresql-plpython-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 5afe5833e057a870c7a564235bf1aee8
    SHA-256: 974f486042f1475bf15a257c97d356d32349b5e733f126c5ae1dbc8a751bfec6
    Size: 116.02 kB
  9. rh-postgresql12-postgresql-pltcl-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 22a5040c999e0e5c5c70ac98ac838dc0
    SHA-256: 8553050d4e1fb0db927d3e23c3dffe7407982a11011b0d2b198184f9f416c6a5
    Size: 72.19 kB
  10. rh-postgresql12-postgresql-server-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 5a9f1cf62b3fcbeb5bf85a1a998c0d42
    SHA-256: 1d447281d8038c577d90193061d823ee5979b585905dc7fb031b84ae8ac68a5d
    Size: 5.40 MB
  11. rh-postgresql12-postgresql-server-syspaths-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: f229a48e7e853ebb4eb062688dc93ee9
    SHA-256: 2bb564ef779015959803175dc65529b2996bc1b6b2a2ac7c4a268ce713600b82
    Size: 43.14 kB
  12. rh-postgresql12-postgresql-static-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: c343efb5e6d21c7cc4ac052e1c73fb54
    SHA-256: 28ad746d9423c1bb276da510c790392f3108cec3c237cf4b6fa6ddc0b7d2d1db
    Size: 152.12 kB
  13. rh-postgresql12-postgresql-syspaths-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 08e62baaec9e23a4a6023cc6b3f37d50
    SHA-256: d607c648c070ae8f51d94f2adc8a31a590908eb56de2239dff87205c9f1cc575
    Size: 42.64 kB
  14. rh-postgresql12-postgresql-test-12.4-1.0.1.el7.AXS7.x86_64.rpm
    MD5: cb29c6b6d07da51f28a30ea076ba873d
    SHA-256: b9c219ce36760b58ade3eee0ec6ef79b12ff96ab22ad04fd9c37950b6d591afb
    Size: 1.89 MB