postgresql:13 security update

エラータID: AXSA:2023-5263:01

Release date: 
Wednesday, April 5, 2023 - 07:36
Subject: 
postgresql:13 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Extension scripts replace objects not belonging to the extension. (CVE-2022-2625)
* postgresql: Client memory disclosure when connecting with Kerberos to modified server (CVE-2022-41862)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-2625
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
CVE-2022-41862
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

Modularity name: postgresql
Stream name: 13

Solution: 

Update packages.

CVEs: 
CVE-2022-2625
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
CVE-2022-41862
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Additional Info: 

N/A

Download: 

SRPMS
  1. pgaudit-1.5.0-1.module+el8+1594+625b4340.src.rpm
    MD5: 123a34f9d01f2e845952812ba18ed183
    SHA-256: e8280e35ffb1111e3fca9507e945de733185b3066f5c0d7e57d6b077e5d3befc
    Size: 42.60 kB
  2. pg_repack-1.4.6-3.module+el8+1594+625b4340.src.rpm
    MD5: f8c9319d65195b4c4fc2275fee733872
    SHA-256: 14aedf1aadad00d3766c214345f34b30c5b4ccefeee5dae9cb440caa0fa4d6e8
    Size: 100.99 kB
  3. postgres-decoderbufs-0.10.0-2.module+el8+1594+625b4340.src.rpm
    MD5: b4a3ad312095578c60eca86841070e06
    SHA-256: 13ab40637fb527996489f8fbee1052f10149872980b465e0267a1a3961199839
    Size: 21.13 kB
  4. postgresql-13.10-1.module+el8+1594+625b4340.ML.1.src.rpm
    MD5: 6e44a09ab1259450ebf17673f1686332
    SHA-256: fc37afb8b642007793d8258aee964ca91c4505d268b339eea153f6d9dfb6c2c2
    Size: 48.11 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.5.0-1.module+el8+1594+625b4340.x86_64.rpm
    MD5: d63a0ff20e63ed4571ed0a77ec703d4b
    SHA-256: 2b9db090b2d53f0203e0553b9ca48617d474888326f243cd5c1b527096f7b74b
    Size: 27.03 kB
  2. pgaudit-debugsource-1.5.0-1.module+el8+1594+625b4340.x86_64.rpm
    MD5: f14ca649465f4c14ebf7352be791942c
    SHA-256: 35354ca39b10b8d96e7c76b396c66bc4bd9508ba3e5ee0ef6d326cfb854d61d8
    Size: 22.80 kB
  3. pg_repack-1.4.6-3.module+el8+1594+625b4340.x86_64.rpm
    MD5: 0e84486431285e93d45c3f28ff5b8191
    SHA-256: a76a258bb3bbc89c1becf54534442ef5e920914061abaa1005b2a8425b389f1b
    Size: 89.57 kB
  4. pg_repack-debugsource-1.4.6-3.module+el8+1594+625b4340.x86_64.rpm
    MD5: e9e089f563a13333da1fc7f1872e3f97
    SHA-256: cf4470ef08e657552964a8b50918003f60aba3d6d44fb735f826f46dbc426ef8
    Size: 49.69 kB
  5. postgres-decoderbufs-0.10.0-2.module+el8+1594+625b4340.x86_64.rpm
    MD5: b2ca9de172c496138a87d451e43ead5b
    SHA-256: b4cd80c559914e2c1e5cef09f54eaeca5c8980efe93b3eb0c54c6954ef8a4db7
    Size: 21.90 kB
  6. postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1594+625b4340.x86_64.rpm
    MD5: 59a4aa066c372f895b51014923c2129f
    SHA-256: ccc3e490e78694d9a1080aa35cd68fa9261ae459e5b86b8dea5974c6ea87348a
    Size: 16.81 kB
  7. postgresql-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: e3230c979d537fa908fbc43bf96244e9
    SHA-256: 7db829a692a455bf60437982bb614c56d29ba648473eec3e68ad3e1d911485a3
    Size: 1.53 MB
  8. postgresql-contrib-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: a9f0125525efbaa65bc085c97409da43
    SHA-256: 4eab3da152c43115fe3f5259646fa224319a8447fbd5d8fbd5bae145221aadb2
    Size: 879.46 kB
  9. postgresql-debugsource-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 694aa59fd61af6cde0545b980f8488fc
    SHA-256: 636b1ed8e86f80d1e5a8e388e19197c74e583e8be5ec155552e69b3b86492378
    Size: 17.66 MB
  10. postgresql-docs-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 267d06c7a36f789be15d11b3569c237d
    SHA-256: a59cc3ae49e605c972de1f4d575bba4e949e79db8695a66383ff69836a7577a6
    Size: 9.74 MB
  11. postgresql-plperl-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 748eb28cbd3437cd72da3115d09eef93
    SHA-256: 9aeeb1f741c5d4b48327368dd959b6214ac062649f0aa7dcdc1d17683b3d4a09
    Size: 112.02 kB
  12. postgresql-plpython3-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 57f84554e8915c2415d5dc3dedc07741
    SHA-256: 06450c32cf2fd309fef9e787a34744eb306f60b0a6134df125eeb580a03265eb
    Size: 128.16 kB
  13. postgresql-pltcl-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 9368c5decb7da31bc0c92ac16e5a36c6
    SHA-256: ca48aadd53bd079e7da26bdae72e38bb99556e1aaa0f2cc13aaa5cc7cf70d04a
    Size: 84.84 kB
  14. postgresql-server-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 397ea0f095a283c9fb6e03c1bc1aab35
    SHA-256: f969837b4368e49a8f2432d43bd92ef876817cdd0f88ec2067dd55b28e8d46a8
    Size: 5.61 MB
  15. postgresql-server-devel-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: c3108798636e7d9b03c9480af7523b2d
    SHA-256: 4346131cee42f3beebc8304b4a64b78ac74a17962b9cab50dec8af34038bda30
    Size: 1.25 MB
  16. postgresql-static-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 4671ff519a54266ca189584559176473
    SHA-256: b61c98eae53ddf076e9170c2f2446cfbabf742baf6d2a3a7cf593a97498c62f3
    Size: 189.17 kB
  17. postgresql-test-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 1129ba77799ba24976fde5ec0e3fbc57
    SHA-256: 6ba128e109a67fdc6b2431fcb44916441278c87d8d4463c119a898b680f9ba66
    Size: 2.02 MB
  18. postgresql-test-rpm-macros-13.10-1.module+el8+1594+625b4340.ML.1.noarch.rpm
    MD5: 7a4400002b99177141555eab324d1b3c
    SHA-256: 5c8abc95b94e685ea19435d91aeb8a7367a06e3c482f2fe0e11480e8d910ddbc
    Size: 52.48 kB
  19. postgresql-upgrade-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 549316fa1428f2286ffbe004b6e5d213
    SHA-256: 10adff4a55fa7c700b86bde2caa45fd01eb9ad066f20c32856fc95967368becf
    Size: 4.37 MB
  20. postgresql-upgrade-devel-13.10-1.module+el8+1594+625b4340.ML.1.x86_64.rpm
    MD5: 6d9fa50b07f3923d32af674a619c830d
    SHA-256: cdfc78f0f368c1cc761aca35da01f18abcf087cec77ee7d61290ecd70383df80
    Size: 1.10 MB