postgresql:16 security update
エラータID: AXSA:2024-8740:01
PostgreSQL is an advanced object-relational database management system (DBMS).
Security Fix(es):
postgresql: PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks (CVE-2024-4317)
postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Modularity name: "postgresql"
Stream name: "16"
CVE(s):
CVE-2024-4317
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
CVE-2024-7348
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
Update packages.
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
N/A
SRPMS
- pgaudit-16.0-1.module+el8+1803+7f6abfc3.src.rpm
MD5: 30c1f8305b7b0141c229720546090c2f
SHA-256: 31c64eb162e0623f7f78981a9a635559abd8e042ef4c02fa38212fbb37052fe1
Size: 52.51 kB - pg_repack-1.4.8-1.module+el8+1803+7f6abfc3.src.rpm
MD5: 4e176ec9df167a134d5281596d29b0d4
SHA-256: bc7d5f5b0cd51d9f130d5b534e857ebf6891bc543b2c2cfcfd55be27ea7317e0
Size: 101.38 kB - postgres-decoderbufs-2.4.0-1.Final.module+el8+1803+7f6abfc3.src.rpm
MD5: 7a50c8aab7474416c22e93a42f9892ca
SHA-256: 4d48ac6f0dd859b94c8c50c51faecb65e96ee40e238330091ce05acbb7dece88
Size: 21.11 kB - postgresql-16.4-1.module+el8+1803+7f6abfc3.src.rpm
MD5: a6a11ba938f893f817fbcad479d416e8
SHA-256: e41c545245813cef811df7c32e06ea54c439ef16c2f5c12ba2a022449841d710
Size: 45.64 MB
Asianux Server 8 for x86_64
- pgaudit-16.0-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 0e5bebd9ebc3307ed2d0c2249cfe2845
SHA-256: 56241ce0047fcadd8c865fb83e6868f2d21dd8ef2371d0a4011f9cd3fbe7b127
Size: 27.44 kB - pgaudit-debugsource-16.0-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: e3ca1fbfddfaceb297070a65e76adc29
SHA-256: 06ccd0ab20543120afbc61c96fb8dd78176dcbec5cb71bf8ccc9b55bb95bfccb
Size: 23.57 kB - pg_repack-1.4.8-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 2e38bf31a0aafb99576969618498e756
SHA-256: b7d6942877cef98fb54f74eeb65e168012c88c4b2d80aa8043ec4167b679a7ad
Size: 93.23 kB - pg_repack-debugsource-1.4.8-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 588dd335cdb2070548195ce5c841ee66
SHA-256: fd9fb7538471a8f7bdde7422d19fd98049e1cc3bbec7632ae651912dda04a534
Size: 49.78 kB - postgres-decoderbufs-2.4.0-1.Final.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 60c8d10b3c5d7cd9343b653a44b389d5
SHA-256: af31a3adc91e4bda6a47701e4e935525d62f9069addb8728afa5fa2a39dcd2e0
Size: 22.13 kB - postgres-decoderbufs-debugsource-2.4.0-1.Final.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 5bbc6635d0e5e39fe605ce733aa21a45
SHA-256: f159dd7aa0c70c442fcf05c29aca0ead6c90e2753fd6e0913d778decb35ad5c1
Size: 16.73 kB - postgresql-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: f9ff1d533c39ccc22f81b75f1a2eba70
SHA-256: 8255d6c41e2a39608f3764a3eb6a2713d4138d3a36b44f4d5ec8b5345abc3841
Size: 1.91 MB - postgresql-contrib-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: d8adf79886576147f6af4e31f49468e4
SHA-256: 319ad9d9bb9228a13418b447aac177b91b99e2d16ff1101bb59856140a447363
Size: 0.97 MB - postgresql-debugsource-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: af2d14f6e6ac362483b55d43d8391366
SHA-256: bf6fb616abb8b0dc98a10fbbefc039063425009b862eeff51066666d34636ded
Size: 19.80 MB - postgresql-docs-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: f0549099432bc24db1dba99ca55a84a6
SHA-256: c84016287a09578a144857495d9ed334dc49b74080b6259c1f262756455ea0e3
Size: 2.47 MB - postgresql-plperl-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 30f3de77efa23db9fe78b450e92c0da2
SHA-256: 4aa66d7a968539fac3b7dc7632a063bbcd4a6dae528bffa7e6164fe091c6b454
Size: 74.71 kB - postgresql-plpython3-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: d0d254e7bd1811058ccbb6604d835c94
SHA-256: 25a8773ca207dc2fefe14c2e2a2d3617e68f0c06d858f855a1e0f97c77afc858
Size: 93.45 kB - postgresql-pltcl-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 9c12f4d06a2e66e286d71b40a55168d7
SHA-256: 80b1526faafae49ecdc27cc32656a25d4cbdbbc3b792f0d3ad37dbf6e6dd633c
Size: 46.14 kB - postgresql-private-devel-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 6dd489e1bd65a12cbb37e2bb2fca0b40
SHA-256: 0f23c98e9d3ddd284aac63684c485041d912968116f4f540b4e347696eecd454
Size: 62.79 kB - postgresql-private-libs-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 6469bab8478be78ee536cdb79f31abfb
SHA-256: 269ab1c94a564df8116a51217637efb567633c7a1f8683d5f90aea8f5c3f12e3
Size: 134.87 kB - postgresql-server-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: b4f7bf61cb6390a6c66833444bd68f11
SHA-256: c63e4b6895a99ef320257fd54d8c5de2c0691b6e21785246b915bf0e7ea4ef6a
Size: 6.82 MB - postgresql-server-devel-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: e5897fba6541b97e2a5f75cbc1b90ba5
SHA-256: e08af8b5a066980454ac5ce3b7836380ce4f4de68c2cc55e0468d98c295b0f4e
Size: 1.40 MB - postgresql-static-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 1e1f29dc2ecd8e2b08cf84807eae2976
SHA-256: 02c9181df6408f9c26c8a537b41a1ed628d18e95019ce9a6b9c9f0ea70615669
Size: 155.21 kB - postgresql-test-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 99a719d837f9e1e4602dfd0fec46749d
SHA-256: ac4cb69d15c42890086f2b321078a5ea87952419beb13e68dae9f5f177ce9ef7
Size: 2.22 MB - postgresql-test-rpm-macros-16.4-1.module+el8+1803+7f6abfc3.noarch.rpm
MD5: 95c915966f72e52cf111930adbd40061
SHA-256: b35b448ef37d4a1e9af245835fc9852f1c88eaf99d46b730f7a41e7509e6e6e0
Size: 9.76 kB - postgresql-upgrade-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 56f8d460f21e9b46dac6b36dd6474231
SHA-256: e160fd67414454aa3626a08e7c9d127993fecad8ce45353d6e1276b4ce58e74d
Size: 4.88 MB - postgresql-upgrade-devel-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
MD5: 2cbf4f24cfd8ff25b5342f459752fd91
SHA-256: f58d4247f74afa84b3a12c5b17c03f175e53dec10f047e3161c774c6abb211d8
Size: 1.32 MB
日本語