postgresql:12 security update
エラータID: AXSA:2024-7567:01
Release date:
Friday, March 1, 2024 - 13:54
Subject:
postgresql:12 security update
Affected Channels:
Asianux Server 8 for x86_64
Severity:
High
Description:
PostgreSQL is an advanced object-relational database management system (DBMS).
Security Fix(es):
* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Modularity name: "postgresql"
Stream name: "12"
Solution:
Update packages.
CVEs:
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Additional Info:
N/A
Download:
SRPMS
- pgaudit-1.4.0-7.module+el8+1730+eb33887a.ML.1.src.rpm
MD5: d5054ab61be0a45e537dd1c17654cd33
SHA-256: 0b2e024e2a95ef89e52c3b7331a7da4a2662f724a18b74ede579bd759c5eb609
Size: 42.40 kB - pg_repack-1.4.6-3.module+el8+1730+eb33887a.src.rpm
MD5: aaf1e972c1f5819dbdf4a68ce60e1502
SHA-256: 903790b5bc0acbd1206b4f82c6ce0170ce56ced49b968a3e96871b24bd9499ac
Size: 100.99 kB - postgres-decoderbufs-0.10.0-2.module+el8+1730+eb33887a.src.rpm
MD5: b0c6a8e3e8956b6d133f0a026b049fe9
SHA-256: 4d1cccdc21684c70943cff00e968302251fd48e83d0409b61c54b7f6f845fea9
Size: 21.13 kB - postgresql-12.18-1.module+el8+1730+eb33887a.ML.1.src.rpm
MD5: 0b70ac611c2d884863b6b0d1339e7085
SHA-256: 8368a35f5e06ea944529921c35380d3ae6e2d44b0c0c38054dfde43fb90d61d4
Size: 46.55 MB
Asianux Server 8 for x86_64
- pgaudit-1.4.0-7.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 16e2de59c4b941c35214c86247b7cc27
SHA-256: c315bad1e82ad8c0c62c2733b3cdd107482e76df116f280cd211711cc77283db
Size: 27.10 kB - pgaudit-debugsource-1.4.0-7.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 1ca5584ee5719a0535549a547ac9d5db
SHA-256: 4caaf951bcc2d421385d897c85fadccb275520f6829c4751274e519f820d590b
Size: 23.04 kB - pg_repack-1.4.6-3.module+el8+1730+eb33887a.x86_64.rpm
MD5: 2a49feb1a9a8b0d746b89f94cf0c6935
SHA-256: bb412a5a43756d5a1e0a74067df1701473f79714686091bc7f13390205c25267
Size: 89.19 kB - pg_repack-debugsource-1.4.6-3.module+el8+1730+eb33887a.x86_64.rpm
MD5: d91860d895b8b1b50ac7b97a55f3fed3
SHA-256: 579e5aae98fe9d5c6adc174e9671f6e0c2d992647934260b983defe2abca313f
Size: 49.69 kB - postgres-decoderbufs-0.10.0-2.module+el8+1730+eb33887a.x86_64.rpm
MD5: 7516e4d1498fd63e788a8ab7e764bd04
SHA-256: 5b89ab25f7062d3bc6fdf4e3f74ffe6f93f12061f8c181a0aacebd8ba7809638
Size: 21.84 kB - postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1730+eb33887a.x86_64.rpm
MD5: 56e0638710463d4bc2a36db1d6eb270e
SHA-256: fd5ff7853e2c32a6a15c10503026e2bffc3b827a291ab960de808fa2dbaa2baa
Size: 16.81 kB - postgresql-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: c1cd23cdd954f3b346aa2d1bbeeaf2fd
SHA-256: 28f3cf7f3a52d5ea0edd370ccb526ec000685e920be9b995906ad0787575561a
Size: 1.50 MB - postgresql-contrib-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 1efe31db7fc756640272adf79bf27bde
SHA-256: 9ef10640620f359eed22a966ebb434f119a7bea5a06a45de4a9cd36165816ee6
Size: 874.31 kB - postgresql-debugsource-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 8763a1d7d861d37bf0f70079bf66c74d
SHA-256: f82e551100120ea0302e024a8a03c9c1e764217aeaf285c6d89d11123468a319
Size: 16.96 MB - postgresql-docs-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: def0af3666f8282ce1bbacd454b7acd6
SHA-256: 48eb760cb5cb33d6a6c18d4995e9d40e0b65e326d89b11e8b6207e8e965455f7
Size: 9.76 MB - postgresql-plperl-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: ad7511cc85a9a1d36831fc4fa375f0a5
SHA-256: 069259a28282c4fec91f782361b222fc799185c51ef5b44676adb23182db7769
Size: 109.80 kB - postgresql-plpython3-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 0303c53423de0b8f6a88337152052743
SHA-256: 034bf26e3b0c02e2bb19b83c021909895d12362bedef24bcd408e727fe7ff2b5
Size: 129.89 kB - postgresql-pltcl-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 0186e6df1597349f39d020054bf24fe1
SHA-256: b9afdccb6663606f60065a2a5a0052013a4fd8e11db6b450316d2c0e758e8648
Size: 85.25 kB - postgresql-server-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: d35a7bf199f1b09c07ed0b9ba7b8db7f
SHA-256: c9d0b16dd5c352df453a16bac94e13c4ea493f349b2469f8880b018e9548e072
Size: 5.54 MB - postgresql-server-devel-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: aa737323e0e8c0e48f0e331aeed7e128
SHA-256: 28024acac1a0a9a9f663033adde8e1ff6534e78c026bce82b29c327510c90aa5
Size: 1.22 MB - postgresql-static-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 643d51975ff4c05eb40e373b644b425e
SHA-256: fe6977c530082d2dddb561e61f5624463a3e40d9b841e7115cf7caa088a421a2
Size: 167.60 kB - postgresql-test-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 1d27223feb6d03c161799ea1a35a6478
SHA-256: 8eee70ef606cddf26e4b429534b7ea95374f02fb8b2db1d4712f91a634cd429d
Size: 1.95 MB - postgresql-test-rpm-macros-12.18-1.module+el8+1730+eb33887a.ML.1.noarch.rpm
MD5: 7bac7d64123c7f190a4a0d49442ddece
SHA-256: 1b9a7fdf314198d2d1e6745620ff2326f16cab6871d55afc78cc465f23abc2ed
Size: 53.19 kB - postgresql-upgrade-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 002c9cf0b79cd34134275ef9826be17c
SHA-256: 0a2c52d5e579d5973e96805aa64146744c5b2b41fa574c25f9f6661aec49d8b6
Size: 4.07 MB - postgresql-upgrade-devel-12.18-1.module+el8+1730+eb33887a.ML.1.x86_64.rpm
MD5: 853ed8e06f6a7c04d0c16d39a17b4e8a
SHA-256: 97d0c4c1d813fdfe1a87a9766e28fa49d0e106f17cbb897063f680e98235bd2b
Size: 1.13 MB
日本語