postgresql:13 security update

エラータID: AXSA:2024-7568:01

Release date: 
Friday, March 1, 2024 - 16:49
Subject: 
postgresql:13 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Modularity name: "postgresql"
Stream name: "13"

Solution: 

Update packages.

CVEs: 
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. pgaudit-1.5.0-1.module+el8+1731+778057d5.src.rpm
    MD5: 5bcab9b965f066bbc5c1f397c1c7c1b0
    SHA-256: 86f2b529fc707c4473c88602f1e4f1451d9580a926be8188806504a71ecc8f82
    Size: 42.60 kB
  2. pg_repack-1.4.6-3.module+el8+1731+778057d5.src.rpm
    MD5: 3f59f47e3e9e2ef05df25e15120e6adb
    SHA-256: b1d01751dba52d3dbdd646fc9a4b669b5192031d63fdf5a1353f578932598a6c
    Size: 100.99 kB
  3. postgres-decoderbufs-0.10.0-2.module+el8+1731+778057d5.src.rpm
    MD5: a485d07344c6fe0755a6505d9f652ae6
    SHA-256: 814dd1e1d69a61b097fdcec64f1ab962511887bce3d524255a6004b8a9277fc6
    Size: 21.13 kB
  4. postgresql-13.14-1.module+el8+1731+778057d5.ML.1.src.rpm
    MD5: eafd7bf8116e401f16d0935ea2e0d701
    SHA-256: ab272a0abd151821134f7149e344cf088f5f6eb0cd18e18e8054f3c028e490c3
    Size: 48.29 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.5.0-1.module+el8+1731+778057d5.x86_64.rpm
    MD5: 781aad51645488b415de29e16eed6237
    SHA-256: 71cdafc50f0d1e0fb4c6a3233501d6a030922e75bf1e572cfd37049223a1f4ed
    Size: 27.03 kB
  2. pgaudit-debugsource-1.5.0-1.module+el8+1731+778057d5.x86_64.rpm
    MD5: d7cf19021debcf2ab6d86bc3d5cbf750
    SHA-256: 9266150b693f311e571192775fe51d72265306a266d50eb0d0a003c8d0079666
    Size: 22.80 kB
  3. pg_repack-1.4.6-3.module+el8+1731+778057d5.x86_64.rpm
    MD5: ef8977c86b7ad72d5f403da11048845a
    SHA-256: db39dfbdd639922880f6678dfcac320d2c23bee64cc56097a146ac83cb96673d
    Size: 89.54 kB
  4. pg_repack-debugsource-1.4.6-3.module+el8+1731+778057d5.x86_64.rpm
    MD5: a465405c1d3ddf009b16245fd6e4e8d8
    SHA-256: 4c695fd34d8379f9542677b1be01d350446b89a4208b26d558cabe77bf368b1f
    Size: 49.69 kB
  5. postgres-decoderbufs-0.10.0-2.module+el8+1731+778057d5.x86_64.rpm
    MD5: 5581e6aa283a4b64790769c829a379a4
    SHA-256: 69536052be3b6bac4eeab875dbc7a72590aa146e254bb5f3ba51c62abc2af03f
    Size: 21.90 kB
  6. postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1731+778057d5.x86_64.rpm
    MD5: 95f08902ae9ccfe68f2decead817a57f
    SHA-256: 5b455f88b5dfb890788d0fb2ae483f62038a472da81c5d006885b7cc3e12a27a
    Size: 16.81 kB
  7. postgresql-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 115321bce3d94b453b64113d8d348079
    SHA-256: faeba43c0df53a427829e7742f801fad6e1c7b2b46479266f67fe2c3c2331bc8
    Size: 1.54 MB
  8. postgresql-contrib-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: aeacda407446d301eff7018fdb47e8e3
    SHA-256: 38b4294997fa43730dfdece32f9e207bff8aa75f23294ed6f47292c69bd3f32d
    Size: 882.06 kB
  9. postgresql-debugsource-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 8cd69ae21aec5cb904b774c343c0945d
    SHA-256: 1f320a14f2e636c5fbc47afbd1d47fc90117e43a1313bcf1738d4f4252349b22
    Size: 17.68 MB
  10. postgresql-docs-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 41c4adeccf13e9da480a4fd68e31add3
    SHA-256: e6745971f9d28384d28e52ca8c63913761bb6ce4da45599ba3381495b5ec785e
    Size: 9.83 MB
  11. postgresql-plperl-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: e2b726bfcd833944a58e3892f8bb6e9b
    SHA-256: c3735bc6ded72f214701115cbf15cc373ad8eb0a471e47da95b460b929fd9e35
    Size: 112.53 kB
  12. postgresql-plpython3-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 2cc70e47db84598a175978093d1b9411
    SHA-256: 3dfd1b015768f2254c3d76ec581408ba820b3bd440b09377d93bdcc6816d82d8
    Size: 129.09 kB
  13. postgresql-pltcl-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: ff50ce7b15b5c6ac09b3d17a0b1e48d4
    SHA-256: 23e83e4eaf801c199ead8d8127a3b4611ebd85bc53591c1d5a0bc832ce6afada
    Size: 85.41 kB
  14. postgresql-server-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 2db6294810724f53661b4c0af98191bb
    SHA-256: 7e515c4ee9c36ab07546db97aad0e897d9d29c569da7914155475bf76a33b5f4
    Size: 5.59 MB
  15. postgresql-server-devel-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 60d108ed79b19b2ba13d6e2e689a81f3
    SHA-256: 89df0075e80eaecac3dc0ccccdb4bc770ba509cbc8889ebea4edb2792f8934c2
    Size: 1.26 MB
  16. postgresql-static-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 76ee3b71321386066a2a3fa2f89166a7
    SHA-256: 4b0b4747780795471a5b630de5eccd5fbe1ae2b64d7a4bf4cf075b3171ebc261
    Size: 189.72 kB
  17. postgresql-test-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: 0bdb47e53cc7c674a5e5851a273449c6
    SHA-256: c3f84594968be8dce9435cc0800493b7b70b11c005a562802c7f3bfcfa7caa1a
    Size: 2.03 MB
  18. postgresql-test-rpm-macros-13.14-1.module+el8+1731+778057d5.ML.1.noarch.rpm
    MD5: c1e5e3cd1f60dabc0ba870e947af99d6
    SHA-256: e1ed0663cb0a4390b8a56189096d7d9ab720a8c2c576164016a5024b3011b0bb
    Size: 52.96 kB
  19. postgresql-upgrade-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: fcdebf79e0c3376e4eeee4153a5e38d6
    SHA-256: 1131084257f0eb9f9d271ce822972cbe63db5f50d527a19810ab385232abfbf0
    Size: 4.37 MB
  20. postgresql-upgrade-devel-13.14-1.module+el8+1731+778057d5.ML.1.x86_64.rpm
    MD5: b73932364d320f17209576b0daccd8f9
    SHA-256: 5c8aeef9e1eefc6b12cc3936a31f30884c12b2f345c6affda41359b010ea14f5
    Size: 1.10 MB