rh-postgresql12-postgresql-12.5-1.el7

エラータID: AXSA:2020-964:02

Release date: 
Wednesday, December 2, 2020 - 14:04
Subject: 
rh-postgresql12-postgresql-12.5-1.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-postgresql12-postgresql (12.5).

Security Fix(es):

* postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694)

* postgresql: Multiple features escape "security restricted operation" sandbox (CVE-2020-25695)

* postgresql: psql's \gset allows overwriting specially treated variables (CVE-2020-25696)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25695
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25696
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Solution: 

Update packages.

CVEs: 
CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25695
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25696
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Additional Info: 

N/A

Download: 

SRPMS
  1. rh-postgresql12-postgresql-12.5-1.el7.src.rpm
    MD5: 8baae9a3a427938a65d7a296ce4f72a1
    SHA-256: 53c76d1c0c90f85b5998ecc86a59784c26f749a8b055054c207ce5fff1bb2cf4
    Size: 27.33 MB

Asianux Server 7 for x86_64
  1. rh-postgresql12-postgresql-12.5-1.el7.x86_64.rpm
    MD5: 6cd38414e3220faf72c56fb1bf5a635b
    SHA-256: 255274d0eae66ad6a02ddda6098ccaf46b0a7474b37dcf7c56461debc98aee76
    Size: 1.46 MB
  2. rh-postgresql12-postgresql-contrib-12.5-1.el7.x86_64.rpm
    MD5: 235a45b6f7afd439179322288c7ed824
    SHA-256: 02a3062b99ea566ea5e27351e5977768dd4c470758404164d44559458df12c46
    Size: 826.37 kB
  3. rh-postgresql12-postgresql-contrib-syspaths-12.5-1.el7.x86_64.rpm
    MD5: f98842ed39ad877bce240b6f6d36888a
    SHA-256: 8238f754f83c9d4f6713c1ae6e7880f43443a6b5f2c656932e241afe724c0a59
    Size: 41.34 kB
  4. rh-postgresql12-postgresql-devel-12.5-1.el7.x86_64.rpm
    MD5: a7220f34b6ebacb3c8cb951a5e977ece
    SHA-256: 270726a7b15b062975a55cc8722973c1b674e07b1aac44fe93cde82b03c08c45
    Size: 1.36 MB
  5. rh-postgresql12-postgresql-docs-12.5-1.el7.x86_64.rpm
    MD5: db2046d29db07a107cfa476a7a12d691
    SHA-256: 6adc2bdf0c28c9cdc3a24869bdea2601421e5990ef2203434de13fc557175f8e
    Size: 9.43 MB
  6. rh-postgresql12-postgresql-libs-12.5-1.el7.x86_64.rpm
    MD5: cdbbffec298feaf1c558e2e1fa8feae0
    SHA-256: f8f770adf98f0006987dffe6fccd4e6174dc6f24477796ce4acd652b7a763b7c
    Size: 307.57 kB
  7. rh-postgresql12-postgresql-plperl-12.5-1.el7.x86_64.rpm
    MD5: 5e887ae4bb01fd18806c66422cb1bc3f
    SHA-256: a87081afe557b7daef007e1b33ca3d43b958e63b0747aa49772c0bddc4fe51ef
    Size: 93.66 kB
  8. rh-postgresql12-postgresql-plpython-12.5-1.el7.x86_64.rpm
    MD5: 78e4f856bc6dc32a4d86f944d88598bf
    SHA-256: 57babe2f9925f9482eeb5c6049bd7308d64850f36639f868e96343e4fccb471f
    Size: 116.04 kB
  9. rh-postgresql12-postgresql-pltcl-12.5-1.el7.x86_64.rpm
    MD5: 12482d1844bd32727f074a1bead51baf
    SHA-256: b559e0c30cfd0fca27a8538de76c24a2ac4c7a68355b1cb679498c4bddeeac79
    Size: 72.19 kB
  10. rh-postgresql12-postgresql-server-12.5-1.el7.x86_64.rpm
    MD5: f16a260a129d187189568e261c75dfee
    SHA-256: f7a932f9f0f70d77a6d114cc4ee87f7dd6d598de2ff025007406b4efd070f5cf
    Size: 5.39 MB
  11. rh-postgresql12-postgresql-server-syspaths-12.5-1.el7.x86_64.rpm
    MD5: 204d4ae1353d85dcef7d7834eabec693
    SHA-256: 41bd4fe3107fb1d52f773f6012f6fd4a1cd3e2a751f31ae7efe6b56d55b783ac
    Size: 43.15 kB
  12. rh-postgresql12-postgresql-static-12.5-1.el7.x86_64.rpm
    MD5: fbf25300bf46178b36f04ecec1fe5db1
    SHA-256: 030901d1b461d8091be81fc7a909603b94189ddb939becdb1443b0a2d1565754
    Size: 152.04 kB
  13. rh-postgresql12-postgresql-syspaths-12.5-1.el7.x86_64.rpm
    MD5: 4e598ac5977358ff34d043dcf9636e9d
    SHA-256: b6a6239aa35af51721e7085718df738636e1f5ab80605314b03c742e959e0dcc
    Size: 42.66 kB
  14. rh-postgresql12-postgresql-test-12.5-1.el7.x86_64.rpm
    MD5: 3f60727da7a78a2502b50e5321f184aa
    SHA-256: a07d6e70252a508fff3de136dddad1092eeb0b64dc7a6838d6571dcb4365d296
    Size: 1.90 MB