postgresql:15 security update

エラータID: AXSA:2024-7563:01

Release date: 
Friday, March 1, 2024 - 10:02
Subject: 
postgresql:15 security update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Modularity name: "postgresql"
Stream name: "15"

Solution: 

Update packages.

CVEs: 
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. pgaudit-1.7.0-1.module+el9+1026+9e90d190.src.rpm
    MD5: cb6870791d2412afc0590d3378d97ab7
    SHA-256: da2e8826260bfce0691b881492b593093306f24053e7a250f77aa31073a0321a
    Size: 51.24 kB
  2. pg_repack-1.4.8-1.module+el9+1026+9e90d190.src.rpm
    MD5: 2e3a800c6788f1f8475cb5c7e12e6da8
    SHA-256: d673332017b41c2d446b845614c78261cf120d800b62a071444051298115fceb
    Size: 102.64 kB
  3. postgres-decoderbufs-1.9.7-1.Final.module+el9+1026+9e90d190.src.rpm
    MD5: c12d7a011182b7b4ab220ea0af0d9339
    SHA-256: fdb9547c833c3e9d40228df22a8a0e71e532fdbed128a7e8c3f070472c876db3
    Size: 21.46 kB
  4. postgresql-15.6-1.module+el9+1026+9e90d190.src.rpm
    MD5: b8dcf48fac2155ef83ad1d57b8775f6a
    SHA-256: e07b05b766d585ecc48f4e1a6fc36ce228ae4cde34fac5b28a339574dba9cc35
    Size: 50.67 MB

Asianux Server 9 for x86_64
  1. pgaudit-1.7.0-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 0268b35f6d4ab3726b4fe2e1d7ff8220
    SHA-256: d8c8ae63b4be1012be0c6921bd7c5a323012ef912cc5296b950d5638bb0679b9
    Size: 27.50 kB
  2. pgaudit-debugsource-1.7.0-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 4e63208318c78844a331590473785d4d
    SHA-256: e0ceda32cf52a78b96e4f0338ec53513a393b99ff621c32cd868e9d407d0951b
    Size: 22.30 kB
  3. pg_repack-1.4.8-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 086d17fb04fd39a9b7733d0fe6086d33
    SHA-256: 93d4f756c24d5199eb6d5c0a412dbaa5525416c11bbb41a74345c05f0878d071
    Size: 90.33 kB
  4. pg_repack-debugsource-1.4.8-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: d081ac8c9fec3242e2433f729cd23205
    SHA-256: 8683d51aaa9c6901449adaa6d9fe187c4afc4515668be95eccc3c82c4cbe6adc
    Size: 48.52 kB
  5. postgres-decoderbufs-1.9.7-1.Final.module+el9+1026+9e90d190.x86_64.rpm
    MD5: ad1c6618e0b327138af65f8de52a47d2
    SHA-256: 22b3da074ee561b88f4b18be308a4d5723aa68ce81bb5fb6442c3e007e34840d
    Size: 22.76 kB
  6. postgres-decoderbufs-debugsource-1.9.7-1.Final.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 4890f0a284d1986b1bd9212f707148f2
    SHA-256: 1623e605624a0aeca1b1efb38091a47b50f372332bedb00ea4ef264b9b87cb20
    Size: 16.55 kB
  7. postgresql-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: cf439e2bb20d9230d23b4f71c3f9eecc
    SHA-256: 29d70c93fb9a01041b10aa342ccf3c0b8568d0105100cb32990181e7f5bb98dd
    Size: 1.64 MB
  8. postgresql-contrib-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: ef2a2a5a534c904b4a0edc38be158975
    SHA-256: 84a3ddc223343807351e6d230ef6b449a233a4bf8fe613ffbd012c0ef37ccac4
    Size: 908.60 kB
  9. postgresql-debugsource-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: d391173f2c3251f181ff9deaa969ece4
    SHA-256: 3a114a05fd47ba41578d62e30d1bf24d906958afd37c610e2378ce0f3a9efae3
    Size: 15.25 MB
  10. postgresql-docs-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: d96b5fec1ab435038c4d157e72c5dfb4
    SHA-256: e3ac6a4002fd5dc6bb6baaca77bdd1df9223d75621e1607b227754cdc63cb79f
    Size: 9.66 MB
  11. postgresql-plperl-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: f4c61672308410200ee332af166409ae
    SHA-256: 1b2309046a046cd75126c8dec5af0a77d8080bc74765302ba0d8ecd601225cc1
    Size: 70.31 kB
  12. postgresql-plpython3-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 3c12526e8d53a6aae0e11a7bfa9048fc
    SHA-256: 4a3a5b0a1a070906ecaa9dbec15b96bbf36859380a8a576941bb580ac1c76f4f
    Size: 94.42 kB
  13. postgresql-pltcl-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 2594d2f54a47f3badba5b01314ce9a2e
    SHA-256: 08c2106151441c80998175f9ed9050f90d70ac5051d2b63cb41d82360cacdf58
    Size: 45.22 kB
  14. postgresql-private-devel-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 3f6e88660996fe16a6e25defbbe016a7
    SHA-256: dadf2ddf45d286d3aa9767190a52838203dd310c768e54b7582fc0d1625a4273
    Size: 61.56 kB
  15. postgresql-private-libs-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: a70c539a95dfecd6ab63f4e6242171fe
    SHA-256: 8ce6f24afc61c995e1a375f25b6377e4bfa076bc293e76bbd19961dbfaa3c9db
    Size: 137.33 kB
  16. postgresql-server-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 82e6a01c5f4f52c32e8634702df57024
    SHA-256: 2851e9e0081d3e71943ab60f9fd849f463418d30fa323e7d84c3c8982efc2c9c
    Size: 6.22 MB
  17. postgresql-server-devel-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 75af78dfc2c7d4e2141b448a4141e859
    SHA-256: 21e4ae93264ec7193df8d3658d0c05da357040813c3e3d6a2e8b50c91edb13c9
    Size: 1.24 MB
  18. postgresql-static-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 03677994fe1ed55f12dc2c1669e49d0b
    SHA-256: ed525c9fda9b8d4033bbe4ac09945b99248a3246825be55dbd355edb287d2d7b
    Size: 149.66 kB
  19. postgresql-test-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: c6fab71f9fbc08094842be44cbd38c6a
    SHA-256: c40af6f35491b086c54e8fccdd4e9f5ebc1cebc721e8a6667711481e2e9b3f66
    Size: 1.58 MB
  20. postgresql-test-rpm-macros-15.6-1.module+el9+1026+9e90d190.noarch.rpm
    MD5: 0755e27a076817a96ec8ac87f20f56e6
    SHA-256: c8a7ebdb7e9f85c32d8d2cd6b0ec31818d342851f37ecc8c357a835887073ded
    Size: 9.43 kB
  21. postgresql-upgrade-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: d3191f47edafc9be4dec39f5c5a1311d
    SHA-256: f58bf0d5a7693cc9861ec7c7e729abcceed59de11982702900ede388f64d8000
    Size: 4.73 MB
  22. postgresql-upgrade-devel-15.6-1.module+el9+1026+9e90d190.x86_64.rpm
    MD5: 5259a92ef3e61202d3cd6eb64aaa6f4d
    SHA-256: 9075d3e2d386837ec2816c02c6741478c8012b98ae0ed2178125ff0fc2ee09e9
    Size: 1.05 MB