postgresql:12 security update

エラータID: AXSA:2021-2347:01

Release date: 
Thursday, August 12, 2021 - 07:11
Subject: 
postgresql:12 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: postgresql (12.7)

Security Fix(es):

* postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027)
* postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028)
* postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING (CVE-2021-32029)
* postgresql: Partition constraint violation errors leak values of denied columns (CVE-2021-3393)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-32027
A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-32028
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-32029
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-3393
An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

Modularity name: postgresql
Stream name: 12

Solution: 

Update packages.

CVEs: 
CVE-2021-32027
A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-32028
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-32029
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-3393
An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.
Additional Info: 

N/A

Download: 

SRPMS
  1. pgaudit-1.4.0-6.module+el8+1283+087117f2.src.rpm
    MD5: 083d788fe9e5c400d62f63a8483a815e
    SHA-256: 8182fa6ab80a8e93ce6fbfdaf8c1c6afad669a82444448693e9204ad2803df57
    Size: 42.19 kB
  2. postgres-decoderbufs-0.10.0-2.module+el8+1283+087117f2.src.rpm
    MD5: eba949112bf68faabd5eb342a14b2080
    SHA-256: 67e26c625e127683adb01a1bff7e23f812f373da8b90d185ef239b16fa9b4c7a
    Size: 21.15 kB
  3. postgresql-12.7-1.module+el8+1283+087117f2.src.rpm
    MD5: 74adbcae4b86613e037437aaed69e20a
    SHA-256: 1944c63be59e406c56378e1e82cc7aa9d5344a6e39fc3aa641649f4942aa6102
    Size: 45.65 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.4.0-6.module+el8+1283+087117f2.x86_64.rpm
    MD5: 1fc79b646256c7a84e7053df4d59bde2
    SHA-256: 2104d5f8902b9a5812c6cf9dfe1be60efde945bcd22bb2c0b83a60c86971bf6e
    Size: 26.94 kB
  2. pgaudit-debugsource-1.4.0-6.module+el8+1283+087117f2.x86_64.rpm
    MD5: 7c81a66a986137ba7d31261357b5cb54
    SHA-256: b6d8582f0ffad265df7fdce924fb19ec24ff711dc8b1c26bbb2e178fe542a8e4
    Size: 22.88 kB
  3. postgres-decoderbufs-0.10.0-2.module+el8+1283+087117f2.x86_64.rpm
    MD5: 40d4dcd94fa760905128316873f9da3a
    SHA-256: 58745787d6c3599a950fd4a12517b5c38e1a4a1413cc0f729b69d1bc53af9355
    Size: 21.83 kB
  4. postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1283+087117f2.x86_64.rpm
    MD5: 107a9384cb457a824d80d384bf396856
    SHA-256: 3034a2675863220c0de80875a5206d49c475462cce2e5460fb36137f45ec7e6c
    Size: 16.82 kB
  5. postgresql-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: be7ccf9a235005cc39738cef29e593cd
    SHA-256: 727754dd2442d10bf9aecd92884bf3b25546a4a400a3cc44d233b9fbbed4d269
    Size: 1.49 MB
  6. postgresql-contrib-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 4fd8d04e7384e6e9e20c1fe356be998c
    SHA-256: e0cfc84d8718f1cf198adeaf6a68bf7b7da432b1f95e1147031e5d76221cb1a0
    Size: 866.88 kB
  7. postgresql-debugsource-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 5285f8dc99ab93f90b935d3e7ce8bf87
    SHA-256: c66369de5eac60a0ed800b1c8510e0dd1ccdfce67ef85b047aa66d701c91593c
    Size: 16.71 MB
  8. postgresql-docs-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: e674449eb8bd58e99ce5be528efe882c
    SHA-256: 2288fb0142e9f2aa3fdd6621dc63803cee7643aa52b265edebd8d463ec103214
    Size: 9.50 MB
  9. postgresql-plperl-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: b6b6774547bc0942337bdf8cc55fe7d4
    SHA-256: c520b0721ef35b348cd32dfd52b11de192e0d5d86a7dfa3b53d6906abf103dcd
    Size: 108.46 kB
  10. postgresql-plpython3-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 1ee80c3374f8e34d3f657916c8e073fc
    SHA-256: 1717fdf110438960cc30f8628656a7ef796bae73799e0c4037970b5617e15548
    Size: 127.67 kB
  11. postgresql-pltcl-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 1128fe5b21db683cf85cfc233d7aa407
    SHA-256: ce95e41d2b049ef8d371a7fb28f7e979974597a9d0c190323ceca1f273c2b6a4
    Size: 83.72 kB
  12. postgresql-server-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: a81f35773fc3d68e5c2fbe49a2a9307a
    SHA-256: 7bf3200a244d5a61c75fd2ae93eb72e3a74281e704803058be396dd605a9ddaa
    Size: 5.57 MB
  13. postgresql-server-devel-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 8fb83c9db3615175393085a7b2f2cf4e
    SHA-256: 2602d5fac43046ce05d7973dcf366407c615ec325ff4043cf092ab9b8c14f60f
    Size: 1.15 MB
  14. postgresql-static-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 5436d541e8402ed3fbf57dff635101d8
    SHA-256: cb7bbf55ea4b2ffda2b8249b566d9fb40a12fbda5f639bad0a5b964e672a1486
    Size: 165.94 kB
  15. postgresql-test-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 43fc9b0a87614b651303caec0ff71b14
    SHA-256: 64851976a99b387cf6ee51bffea505fcdf2805f091994e1e5f8c0acac4282127
    Size: 1.91 MB
  16. postgresql-test-rpm-macros-12.7-1.module+el8+1283+087117f2.noarch.rpm
    MD5: 85c46b86369307192cb258bf865afb8a
    SHA-256: 999155764c5e468a6c0258bc4b1b1e30bb3c9541abf7705cd730867845fb1a77
    Size: 51.69 kB
  17. postgresql-upgrade-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: f9614bc9bcd2822fb01c66671be85ae2
    SHA-256: 480fbc792ea52291a53ea3ac2d301c7e25f9daf877846bffcc180b355cdb3376
    Size: 4.08 MB
  18. postgresql-upgrade-devel-12.7-1.module+el8+1283+087117f2.x86_64.rpm
    MD5: 7b8a922cab001722aa872f5ee619b747
    SHA-256: a5c372c5c299e09a49fceb7122b087a7bd487bb018bea55171215a75bba01fc6
    Size: 1.06 MB