postgresql-9.2.24-6.el7

エラータID: AXSA:2021-1738:01

Release date: 
Thursday, May 6, 2021 - 13:51
Subject: 
postgresql-9.2.24-6.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694)
* postgresql: Multiple features escape "security restricted operation" sandbox (CVE-2020-25695)
* postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution (CVE-2019-10208)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-10208
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25695
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Solution: 

Update packages.

CVEs: 
CVE-2019-10208
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25695
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Additional Info: 

N/A

Download: 

SRPMS
  1. postgresql-9.2.24-6.el7.src.rpm
    MD5: 063b239d1fa1e4bbb6b09283892eb3da
    SHA-256: bd3320342425a2abdeca94753f782b4aadffeff66ec971427ad61bb8b2c3ba08
    Size: 35.98 MB

Asianux Server 7 for x86_64
  1. postgresql-9.2.24-6.el7.x86_64.rpm
    MD5: 840739b7b3befa64cb13e35ff2b01119
    SHA-256: 7b1172e919cbe50a4503f9982772fe82426d21bd3ef4168e81aeacbafccc48ef
    Size: 3.03 MB
  2. postgresql-contrib-9.2.24-6.el7.x86_64.rpm
    MD5: 591a1301a97d9af19860cfef323f0bf4
    SHA-256: d2340f754d8869b52f6c943ef6823f12e4e05b86a505b9dd43d7aa6980883980
    Size: 551.55 kB
  3. postgresql-devel-9.2.24-6.el7.x86_64.rpm
    MD5: dc4929ce52f87d7af76bb97d01fc659f
    SHA-256: 5eb2d1527075412f1d9c0bf45fcfcf5e62eb01520a70dac50f919f35dce58a22
    Size: 951.37 kB
  4. postgresql-docs-9.2.24-6.el7.x86_64.rpm
    MD5: 9a0c0e3235765c9d09c45ed4f28a9d91
    SHA-256: 7b570d23a88dedf5a3c58e389b21536781c5e965459bf541e16a69fcf2974127
    Size: 6.87 MB
  5. postgresql-libs-9.2.24-6.el7.x86_64.rpm
    MD5: 6fd01d4e45b95f2cb88581b4f5ad1485
    SHA-256: 7810c7d2e2d1cec42fe2ab89ab38a33ef59f7b84e68c7af127ba27be83233fbc
    Size: 233.60 kB
  6. postgresql-plperl-9.2.24-6.el7.x86_64.rpm
    MD5: 1b6e050b8d6543a263ea7ff6d82612ab
    SHA-256: 8c780ca92ea7a193bc3941708e744e8e9fc8870ebd137bd5eca4f8892e08ef9a
    Size: 82.81 kB
  7. postgresql-plpython-9.2.24-6.el7.x86_64.rpm
    MD5: 3792e023b2ba7184715b5113422e4389
    SHA-256: 4cff0909aec1991b10674af6bd1e025524b634c7ae9b4b2e6fd11bf01cde7295
    Size: 95.73 kB
  8. postgresql-pltcl-9.2.24-6.el7.x86_64.rpm
    MD5: 5c141c94e36d0fc46c7fd021b83fcc1a
    SHA-256: 16b14e149d109ca456528c7cdac7b707507d30a64f6b5e6456abdbae81d1cfd6
    Size: 59.03 kB
  9. postgresql-server-9.2.24-6.el7.x86_64.rpm
    MD5: 9aa86520c1a6cf4014c57204cda2525e
    SHA-256: 104a8181a9f5922fb3b05f7c607a01dbcb2105b2e2f5b64bec3b90cd915ddd1a
    Size: 3.82 MB
  10. postgresql-test-9.2.24-6.el7.x86_64.rpm
    MD5: 3ccabe804f5afa82d57c6aa4ff00b2e9
    SHA-256: 8fe11799a3494c0831ef5b40e3e7d912bb98b6ce54d021cd2d265a73818229ec
    Size: 1.76 MB
  11. postgresql-9.2.24-6.el7.i686.rpm
    MD5: bc3b2ce928b837642feb1a25a1ceb001
    SHA-256: 78b36d3f77f428dcdb40e664d53132a75f2cddaa969bcb7cbac8fe64b5fe4950
    Size: 3.02 MB
  12. postgresql-devel-9.2.24-6.el7.i686.rpm
    MD5: 6a70b0b562685e5218c6a5f2e44d8ae1
    SHA-256: ef49d41e4c5c256e0a5aa39f06b19b5a72a9482ab7b8784d64a5050a1f0efbaf
    Size: 945.64 kB
  13. postgresql-libs-9.2.24-6.el7.i686.rpm
    MD5: 4712fed4c99200779ca1be3c1b63a675
    SHA-256: dca23918756e9e9125d0875c9372da3dd43b107c04a78e038b1ea441573f08d4
    Size: 233.79 kB