postgresql:10 security update

エラータID: AXSA:2021-1514:01

Release date: 
Saturday, February 20, 2021 - 07:28
Subject: 
postgresql:10 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version:
postgresql (10.15).

Security Fix(es):

* postgresql: Reconnection can downgrade connection security settings
(CVE-2020-25694)

* postgresql: Multiple features escape "security restricted operation" sandbox
(CVE-2020-25695)

* postgresql: psql's \gset allows overwriting specially treated variables
(CVE-2020-25696)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10,
before 10.15, before 9.6.20 and before 9.5.24. If a client application that
creates additional database connections only reuses the basic connection
parameters while dropping security-relevant parameters, an opportunity for a
man-in-the-middle attack, or the ability to observe clear-text transmissions,
could exist. The highest threat from this vulnerability is to data
confidentiality and integrity as well as system availability.
CVE-2020-25695
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10,
before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to
create non-temporary objects in at least one schema can execute arbitrary SQL
functions under the identity of a superuser. The highest threat from this
vulnerability is to data confidentiality and integrity as well as system
availability.
CVE-2020-25696
A flaw was found in the psql interactive terminal of PostgreSQL in versions
before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before
9.5.24. If an interactive psql session uses \gset when querying a compromised
server, the attacker can execute arbitrary code as the operating system account
running psql. The highest threat from this vulnerability is to data
confidentiality and integrity as well as system availability.

Modularity name: postgresql
Stream name: 10

Solution: 

Update packages.

CVEs: 
CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25695
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25696
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Additional Info: 

N/A

Download: 

SRPMS
  1. postgresql-10.15-1.module+el8+1189+94dda58b.src.rpm
    MD5: 3d1a5256f3b9e9e7a0081bf268ad620f
    SHA-256: 0c84c258dfae18074eed099d0b94635e1f6d39a6b38943b4e4967bf28a5cee08
    Size: 40.89 MB

Asianux Server 8 for x86_64
  1. postgresql-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 4aca3c4baa9e67f0c57d0512064f47e8
    SHA-256: ce72d5e1ed3a83765fbf711a08838c75b36315dc4dcf107f9d69b4284586755b
    Size: 1.49 MB
  2. postgresql-contrib-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 1370879ae5c82a950a4e95bd425f5555
    SHA-256: 08b0ab02dd0fa24887a933192d99abe6f689958c73ec020899c90d6fc969c12c
    Size: 803.68 kB
  3. postgresql-debugsource-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: ebd6642120f27c4966c19ec2f4f84ba1
    SHA-256: bf375a5247bf096f86bddc0218ca27f74bc1a08c8589139562568f755a2527c1
    Size: 14.52 MB
  4. postgresql-docs-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 859c109a3e93c84f9cac443aa4782a36
    SHA-256: ca4c11d5d73b0aeac2a487ac3204014e255a6173932152392b147359aef10c22
    Size: 9.01 MB
  5. postgresql-plperl-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: d31cc87ac9167dc1b6532b6b8a03e2c3
    SHA-256: f7c3c3b02f939285ba6388a2e0ed92c38e867ca5014034de1bfd179c7f8ecd49
    Size: 100.35 kB
  6. postgresql-plpython3-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 6c7b2a9a422ea3244b958adbf9a9ceb9
    SHA-256: b001470f0cc36892b1ecb17e27605cd7c4daa13727a987556727a29fb2a0a9e2
    Size: 120.22 kB
  7. postgresql-pltcl-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: e5df85c5d1edf1c19e4a36d3c46de743
    SHA-256: fc8073c43dfd60384850ce017f402454eb197bba7a5ee00e7e4224632ace2fae
    Size: 76.59 kB
  8. postgresql-server-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 1251047f43261851f4c2ec9f82b2e0b8
    SHA-256: 2455852d1c9f640213476eb80f8248cd694951524ffd3159fe1f05faf37dd482
    Size: 5.04 MB
  9. postgresql-server-devel-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: a1b2b1ae25f98f0b789249b3de91d172
    SHA-256: 95ab6c26055488f5d102cd67e172a4f3ac9ce10019d7e09b872bf6538f5e3a0e
    Size: 1.09 MB
  10. postgresql-static-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 613555c2b6f9bf0166321859adb206b6
    SHA-256: 402f7f5f992c5e4c01cb7366609ae1433ec906c8ca6f3d792e96fd710e02c77f
    Size: 123.87 kB
  11. postgresql-test-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: d25b792668ef25a14a723c4e5d05dccb
    SHA-256: 011c2ef1a60cee2de0a424157d36aa50ca19237bd82b4960b848452a763b8dc4
    Size: 1.66 MB
  12. postgresql-test-rpm-macros-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 53c99b78998228c3c02d3cb303559a96
    SHA-256: 7caa9c83b63480f7a0113284c88d245c50bfc02bea4f21006c7120f65e177574
    Size: 47.78 kB
  13. postgresql-upgrade-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 489326878f6a93214a49c29668f69ca7
    SHA-256: 8667c9353c4b757d32ced1158c4283fea15f88531ba79d3fb719c1d44aff7f8e
    Size: 3.36 MB
  14. postgresql-upgrade-devel-10.15-1.module+el8+1189+94dda58b.x86_64.rpm
    MD5: 5a3b68f7aa51dca6c02302b82611b31c
    SHA-256: 729aed4f430c4aeaef4ee1565a9f56a0241b1a96e19d1883964b890f7252fc67
    Size: 759.17 kB