postgresql-13.14-1.el9_3

エラータID: AXSA:2024-7559:01

Release date: 
Thursday, February 29, 2024 - 11:21
Subject: 
postgresql-13.14-1.el9_3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Solution: 

Update packages.

CVEs: 
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. postgresql-13.14-1.el9_3.src.rpm
    MD5: 08152d8483d14a83ea3dd841cddd7e0a
    SHA-256: f2056a81d4e1deab54a108525e9d14984003faa3a3664590ce4277d58125aae3
    Size: 48.54 MB

Asianux Server 9 for x86_64
  1. postgresql-13.14-1.el9_3.x86_64.rpm
    MD5: 11a996e136abbd524da71afb81584426
    SHA-256: 13f882ab65813aacbdb55c0a79131d9e121767a4d01ea614d8a3094f203fbbc3
    Size: 1.58 MB
  2. postgresql-contrib-13.14-1.el9_3.x86_64.rpm
    MD5: b76c65b772a835bca9b4e13b02dfcb16
    SHA-256: 81495e135ba856da39f2f298c42fa2a8d1733ba622496aa56160b9fcda3789dc
    Size: 884.73 kB
  3. postgresql-docs-13.14-1.el9_3.x86_64.rpm
    MD5: 4d4a2f4b919940f8bbe917f5c88c7ae4
    SHA-256: bae922ee17e48d89841795bc35b5cee7fc46c63f7155d478d5f89115826ee36c
    Size: 9.53 MB
  4. postgresql-plperl-13.14-1.el9_3.x86_64.rpm
    MD5: 761379bf15644064fbb8c2c6e3ff74fa
    SHA-256: da0d91ea75539b141e4c7ecf1454639337f35d5d0733af45c835eeb68bce3c23
    Size: 74.29 kB
  5. postgresql-plpython3-13.14-1.el9_3.x86_64.rpm
    MD5: 9c0946f942b2ae33570b75462d9117a2
    SHA-256: 39f0cc0c069704dc4f0e74522465a5ff1b57a65bf64ddc0066dd87fa9cb14416
    Size: 93.57 kB
  6. postgresql-pltcl-13.14-1.el9_3.x86_64.rpm
    MD5: 677baf26eab464345853ecd541f93a58
    SHA-256: 440e6a7c25c8a23af85b216f6941ff336ae3592e8146c419c33f16e5d9cd32f5
    Size: 48.12 kB
  7. postgresql-private-devel-13.14-1.el9_3.x86_64.rpm
    MD5: c2059c71bb078c00b5bba0c798a37577
    SHA-256: dfab0fda0a3b398479a8cef53d915757772c3568c95b48df2522325b0d23d929
    Size: 62.73 kB
  8. postgresql-private-libs-13.14-1.el9_3.x86_64.rpm
    MD5: 10a39d4d1716385cd369891badd50d5e
    SHA-256: 6f616ce9456f610410953c85f9a1a687e8103f116ec9c5e3c7f50dc7672f2a2f
    Size: 132.14 kB
  9. postgresql-server-13.14-1.el9_3.x86_64.rpm
    MD5: 8d6264ef2e18f590b286c74f49fe2387
    SHA-256: 8e4bfbee0fbc2cfadca9fa9fe92dabe0b815799f704cc9a70024f3ee8eda9dba
    Size: 5.76 MB
  10. postgresql-server-devel-13.14-1.el9_3.x86_64.rpm
    MD5: 5a81674e8f033df67b64d9e94c1b24ff
    SHA-256: 3c609df8e3676c7c9c6ba628089a07a4543ad2f3811d75e3f641f313744e580d
    Size: 1.30 MB
  11. postgresql-static-13.14-1.el9_3.x86_64.rpm
    MD5: 79460897965660b8c9aeb866e223b27e
    SHA-256: 01741996b87e3a25098ce61958c35a7be6a1d47348d8ed934aacb68dd26b28fb
    Size: 143.96 kB
  12. postgresql-test-13.14-1.el9_3.x86_64.rpm
    MD5: e1689acbc1d9df6f13c39c0a4c41fb32
    SHA-256: ee4a1e939a86ecb22ee5cbed941319b669900a9fee04988ee24c7b0bf8aecbbd
    Size: 1.52 MB
  13. postgresql-upgrade-13.14-1.el9_3.x86_64.rpm
    MD5: 3458957f31870d60f5f3c1b46494a3ce
    SHA-256: 384924d1f56642918820e8f711e4edc18a6dc2e4039e462abf060071b1340fa2
    Size: 4.60 MB
  14. postgresql-upgrade-devel-13.14-1.el9_3.x86_64.rpm
    MD5: 6c1167e2dd7e3e93a96ff6ece2be3306
    SHA-256: b19239aba1217714ad35027fe5c97eadca7add2bd7641784e69ad273fa438349
    Size: 1.20 MB