postgresql-13.10-1.el9

エラータID: AXSA:2023-5280:02

Release date: 
Wednesday, April 12, 2023 - 01:32
Subject: 
postgresql-13.10-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Extension scripts replace objects not belonging to the extension. (CVE-2022-2625)
* postgresql: Client memory disclosure when connecting with Kerberos to modified server (CVE-2022-41862)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-2625
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
CVE-2022-41862
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

Solution: 

Update packages.

CVEs: 
CVE-2022-2625
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
CVE-2022-41862
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Additional Info: 

N/A

Download: 

SRPMS
  1. postgresql-13.10-1.el9.src.rpm
    MD5: 8437f2280eefc073cd8482b95e883382
    SHA-256: fd1e4c9a11980a1fb3906b011930a3d6fab33ba203426755e1bb123594ab2af1
    Size: 48.25 MB

Asianux Server 9 for x86_64
  1. postgresql-13.10-1.el9.x86_64.rpm
    MD5: 9a5aeca8945e55dea3ccb0244f012385
    SHA-256: 9cd88cb384119269ddb060e9945700d7b1b7536a632f5004225bd3f23699964c
    Size: 1.52 MB
  2. postgresql-contrib-13.10-1.el9.x86_64.rpm
    MD5: db1eec8d941f6e58637b35710aef5669
    SHA-256: 6a7732d87dae2363eb5b2708a4dbca6bac3ff95fe8646908c4500ad43cebb6e4
    Size: 810.10 kB
  3. postgresql-plperl-13.10-1.el9.x86_64.rpm
    MD5: 9929885225be2c0880c98db8ff48972b
    SHA-256: 5e4b6abb34bcfb5e516db6bdd303f015d83734b511ea82cbb373ff98472c6261
    Size: 69.18 kB
  4. postgresql-plpython3-13.10-1.el9.x86_64.rpm
    MD5: 098a6d33428b29c0015312ad6005d29c
    SHA-256: df021124a5899b0f545720399503586bcb98fd589460c75b1b61b09d9417a972
    Size: 90.09 kB
  5. postgresql-pltcl-13.10-1.el9.x86_64.rpm
    MD5: 965f37f5e44b97c269422de3ea9946ff
    SHA-256: d3baa8ba8484c6fe4f658f05bb3a0eebd2b57aaa0ed87bee262f2e965c42ad33
    Size: 44.56 kB
  6. postgresql-private-devel-13.10-1.el9.x86_64.rpm
    MD5: aa29c9bd69732ceb401acad58970d7c1
    SHA-256: f65d85dc4a279fdedcd6229a4d0418a5ed24a5b94d7760ad88e4b43cd541b6f2
    Size: 59.67 kB
  7. postgresql-private-libs-13.10-1.el9.x86_64.rpm
    MD5: d158eb7e6d27ed97a7f84c7da838089f
    SHA-256: 432f946729e3f91ac7b23d34f692476b810407c003efcc117b3ca82894375a9f
    Size: 133.99 kB
  8. postgresql-server-13.10-1.el9.x86_64.rpm
    MD5: 0edf9dbbfccaadc8a3eb7aced8f0cea8
    SHA-256: 86047cae3c2c1c57af419d4b41df56035bcb4d3928d878d4dc5d18e424e18982
    Size: 5.73 MB
  9. postgresql-server-devel-13.10-1.el9.x86_64.rpm
    MD5: 9c0d7fb98ffb570fe6a793bafe699cf2
    SHA-256: 3942ce76f246a6aa35a536868f09383ad60d500af809e17adde43302b67f14ea
    Size: 1.11 MB
  10. postgresql-test-13.10-1.el9.x86_64.rpm
    MD5: 076ecee25a38d8b3ca1ca55fa82991ef
    SHA-256: b6426986d56e4ffd51d418520253492caec5de22657dbfd899e93e063a2120e8
    Size: 1.41 MB
  11. postgresql-upgrade-13.10-1.el9.x86_64.rpm
    MD5: eb480f72d38b87650a43f588b0713bf0
    SHA-256: 1ef4f2ccb7a6352bed1894f2aa5e95841f7bbf2c9ebff55c98443ded04158de7
    Size: 4.56 MB