postgresql:15 security update

エラータID: AXSA:2024-7569:01

Release date: 
Friday, March 1, 2024 - 18:23
Subject: 
postgresql:15 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Modularity name: "postgresql"
Stream name: "15"

Solution: 

Update packages.

CVEs: 
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. pgaudit-1.7.0-1.module+el8+1732+dff11322.src.rpm
    MD5: 158e1790735ae0aa9fdd0f0cbb2b5099
    SHA-256: 0789ea2f362104c80b057908c9f2b3489ea79b54270a3b4bfb0315a67ad17e07
    Size: 52.57 kB
  2. pg_repack-1.4.8-1.module+el8+1732+dff11322.src.rpm
    MD5: 4435f661eadf246fd7f63d705863cf7d
    SHA-256: ce718dfcf56a1962522b4005e8d817ff3afcb71c3d770db33937378091fd367b
    Size: 102.55 kB
  3. postgres-decoderbufs-1.9.7-1.Final.module+el8+1732+dff11322.src.rpm
    MD5: da69de28852d3a8f97138ae6527935e0
    SHA-256: 72e0048d4143ae2f7fbae77a8662117ab4f508bc57e2da0a4f77c8d3ce548b36
    Size: 23.30 kB
  4. postgresql-15.6-1.module+el8+1732+dff11322.ML.1.src.rpm
    MD5: f7570105704b8f0069acb80ae336884f
    SHA-256: 38cd008e31de7410b7c396ea59ca66ebf2527cfaa1f3df90579e19151e2e5550
    Size: 50.45 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.7.0-1.module+el8+1732+dff11322.x86_64.rpm
    MD5: 616bceaf1b2aa8b7e1af519aa4ee6265
    SHA-256: 71f2bc44863a033dea0a4065dac86ed5c2f6fc9e024e185a2ae6d352b329a05a
    Size: 28.32 kB
  2. pgaudit-debugsource-1.7.0-1.module+el8+1732+dff11322.x86_64.rpm
    MD5: 3da3c63029540458701d6e18e287d947
    SHA-256: e1a62a3e6e65096cdd2e0bf5f8304a853b7fb4d7720b65b0f95bacb17f5f868f
    Size: 24.11 kB
  3. pg_repack-1.4.8-1.module+el8+1732+dff11322.x86_64.rpm
    MD5: 3370047e4b5d138d60115c9997f6e316
    SHA-256: 22996c3f9e869aff3e98a0d14e88bc6b0f84b7eebdfede2d157732f4a3faf05d
    Size: 94.13 kB
  4. pg_repack-debugsource-1.4.8-1.module+el8+1732+dff11322.x86_64.rpm
    MD5: cafe8e4dfe030ee4888291d8d3649622
    SHA-256: d21e9f72533dbdbcf1e7c81a02736eea7f101c5d46393d0991a9081078f29b28
    Size: 50.55 kB
  5. postgres-decoderbufs-1.9.7-1.Final.module+el8+1732+dff11322.x86_64.rpm
    MD5: 31e41904e7ebe48c3ddc4a4ca6451dae
    SHA-256: a5d6bfe24898448ff61a2bb2becec44f3760fe54dc23942c3f22ce200d4aa0cd
    Size: 23.81 kB
  6. postgres-decoderbufs-debugsource-1.9.7-1.Final.module+el8+1732+dff11322.x86_64.rpm
    MD5: f2a929090ad4b2f62cab64357194715d
    SHA-256: 9f8c2f87e3ced85462e880c718c6302e41afd7ee77d3b462c914ce54ce7c7363
    Size: 18.27 kB
  7. postgresql-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: 6d21629d57d84c8bc48ca124f37d23fe
    SHA-256: 1f1bc6d5864f3554a99bb61ebac2f6fe89281682e8d1e498499fe86c97b27ebd
    Size: 1.69 MB
  8. postgresql-contrib-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: 0fa3697066056932649eef4bd4eef2f7
    SHA-256: 4d753f09005c992e697434c0cc9869b50840b343c79c39799c56cbd0b942e765
    Size: 958.76 kB
  9. postgresql-debugsource-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: dddef46e9a05d33c590351dc2d12961d
    SHA-256: b15e478233a41722537cadeaa6425db1acad82fd8a5a76eaca9dcb31886d575b
    Size: 18.82 MB
  10. postgresql-docs-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: 8f0b1734099ce29232bdd8b297c9b612
    SHA-256: b7b10ba713efaf977a8c51ac558bed1a5bd390b2650d1ad5976326df411d4910
    Size: 10.18 MB
  11. postgresql-plperl-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: 20b294770aff5757f7f3f7a188ff3779
    SHA-256: ec75ef6e8eec63f6c2aabc32873d6b9a43d9f2886870296dae982e0c2da0bbab
    Size: 72.28 kB
  12. postgresql-plpython3-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: 7e8c92de2058ba2cb5bfc8dac44154e1
    SHA-256: c666ec37d62ad2d66a67195fc517c0e58cdd4d9d99d19be9eabd9d5287d0bc9a
    Size: 92.07 kB
  13. postgresql-pltcl-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: 38927845391b95a1603787963f8eb3aa
    SHA-256: 94e47fdb0b46b653aa3405ea3ae6562c515b52456c572b5dc3bf0487cfe876e6
    Size: 44.66 kB
  14. postgresql-private-devel-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: 108bc29a952453e71f06cb5f74558189
    SHA-256: 076f99a541fdeda73f7b7db282e3e7b40f11452c13bf4eae779bbb6d532601cf
    Size: 63.77 kB
  15. postgresql-private-libs-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: ffe73548047587660f5666327bad2c8a
    SHA-256: 9b5eb2679e4e9beb91b33c11bcf32832021c7243f2c119f8b855c6a8f95ef818
    Size: 131.67 kB
  16. postgresql-server-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: d51fc35d5db1144d329b0965cf0c68c8
    SHA-256: 2f9bca60f973a48d4adc449636ae377230bb25c6888eb3941309a3f400f53732
    Size: 6.13 MB
  17. postgresql-server-devel-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: a675150560a544602f0cdd6a2f618a70
    SHA-256: 5df5edd55993db1b9de3bbec5ce56e39f3a55597269087f4ab76fd03963f8a19
    Size: 1.36 MB
  18. postgresql-static-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: b9b3ed931380fc57d83a33459f03dcb9
    SHA-256: 5d9b684c5da53b9e6468d291a825a1c564cb3a2512beadccc4d900e2bb0bd88d
    Size: 152.58 kB
  19. postgresql-test-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: e318aec5fbcd4d52118e358666b59841
    SHA-256: 241dd60318352df59eae6c493e0f47eabcd5c3ca51478acd0f026bd5317a552f
    Size: 2.15 MB
  20. postgresql-test-rpm-macros-15.6-1.module+el8+1732+dff11322.ML.1.noarch.rpm
    MD5: b0139414387e12bed7a33df52d3f4241
    SHA-256: 02c2a1269df29562d8b971e6f22df10b68bf23281178019aecc7fc100b3c4d9b
    Size: 9.61 kB
  21. postgresql-upgrade-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: f4fa25a4c27e54c5d5d1ef12e007840e
    SHA-256: 402e0694de8aa96b6c5c877a711fc82a8b9ebfca17c17556bafe10699c726258
    Size: 4.48 MB
  22. postgresql-upgrade-devel-15.6-1.module+el8+1732+dff11322.ML.1.x86_64.rpm
    MD5: d27c6857b9c7a1fdf97ca76a6f2abd19
    SHA-256: 3797b90b4c2b8375194b62a3e3f50211bb33f01ed6b5d5edca77b1b5f0c59043
    Size: 1.17 MB