postgresql:10 security update

エラータID: AXSA:2024-7566:01

Release date: 
Friday, March 1, 2024 - 12:03
Subject: 
postgresql:10 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Modularity name: "postgresql"
Stream name: "10"

Solution: 

Update packages.

CVEs: 
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. postgresql-10.23-4.module+el8+1729+25e0dcf5.ML.1.src.rpm
    MD5: dd2858c5b0dee2ef39aa3e1881507d7e
    SHA-256: 5bfe90461a441547e45f4043f0606f1a40628241584648b94dd8b80654036632
    Size: 34.22 MB

Asianux Server 8 for x86_64
  1. postgresql-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: 99127ad7e70a1a261756880048ecf540
    SHA-256: 26ae495f75fbf6c4b1da35909d39170b8e0eb00f94369011c5df12768f04414f
    Size: 1.50 MB
  2. postgresql-contrib-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: d9452ef8c7a05629b843880ff5c97262
    SHA-256: 5d60b79f576103ca3e10f27f20a43822f4894f6f971b1b5c2472644aaebb5079
    Size: 811.00 kB
  3. postgresql-debugsource-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: ab2c8c773afc8970b77bc2e5f5420309
    SHA-256: abe771741da1188c98a97946102e14f9741b5e6e8cdcf3ca15d949ac11ccb02c
    Size: 14.59 MB
  4. postgresql-docs-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: d21a25bbb0013ca1a36ba9330304bcba
    SHA-256: 8a3d1d66550fe26baa7fe94621a84dc9bf0c3a744e8570ff99fc1ed755a179a5
    Size: 2.23 MB
  5. postgresql-plperl-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: f7c10f2fe5d439c9722348e22338114a
    SHA-256: 0ce4f6039e2598c6d611a8249fe94ca7a8d757e7a136c60b4df9148acc4bacdd
    Size: 102.04 kB
  6. postgresql-plpython3-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: 7ab99eaec5b723d518c625b4237c493e
    SHA-256: ce8df235c1ed60358a29cd9eac4ae96a7bb16cfb1b5f5d0c571fcc696aa191dd
    Size: 121.87 kB
  7. postgresql-pltcl-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: fe8534d382c80ed504d466ddaff5c6e3
    SHA-256: c26e32e4606ee875ca16e83bf398a64c05a24e3776b17ec02453ee973994d4c7
    Size: 78.21 kB
  8. postgresql-server-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: b33c927a91ece1cef6055c0b72a573f7
    SHA-256: 30bb2710dbc9e04a4e09d4524f170dba486fd501c5035a3d48725db756b77a0a
    Size: 5.05 MB
  9. postgresql-server-devel-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: d6d94a063c75f3199290022847ff7a7d
    SHA-256: 492f06a7e3f69d08e9ffef321d182776c3676fb3c58e74075e645d0aff363f2b
    Size: 1.16 MB
  10. postgresql-static-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: 7d46c719c601cfbab5769291ac4503d5
    SHA-256: 1cbdc00530d93b0807a2c36c90339614a867bee6c049c37c8c2055bf83159617
    Size: 126.94 kB
  11. postgresql-test-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: 9cd88a351495b8d60cf402ca65bb8a42
    SHA-256: 590a6bc23f61d0772bd8488ecd37a950edaf112e233d914c2caf5f8958c1c4c0
    Size: 1.68 MB
  12. postgresql-test-rpm-macros-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: 2f6ca0b264a3a84cf30196686374bd08
    SHA-256: 94dc97a3a1b9a48fbfa5e66fd322f37a756fc4cbe1ce5b770ce229430562f882
    Size: 49.36 kB
  13. postgresql-upgrade-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: ce9ece9632584e90552e63a8366bc4e8
    SHA-256: ebbad45489af02c20ddf5ee58f2b8fd63e6b0918f3ea10306c11a6bdb17f2d3f
    Size: 3.34 MB
  14. postgresql-upgrade-devel-10.23-4.module+el8+1729+25e0dcf5.ML.1.x86_64.rpm
    MD5: f3f8428a7849c2f3569192a6e6ecb142
    SHA-256: a4f4041f818fe1bd21949187100a6637e1e113a774ab22aec6d193d1849b15b2
    Size: 760.79 kB