libpq-13.20-1.el9_5

エラータID: AXSA:2025-9696:01

Release date: 
Tuesday, February 25, 2025 - 11:11
Subject: 
libpq-13.20-1.el9_5
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The libpq package provides the PostgreSQL client library, which allows client programs to connect to PostgreSQL servers.

Security Fix(es):

* postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation (CVE-2025-1094)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

Solution: 

Update packages.

CVEs: 
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Additional Info: 

N/A

Download: 

SRPMS
  1. libpq-13.20-1.el9_5.src.rpm
    MD5: ae310a2d9465a2a459610e5627b01300
    SHA-256: 033673d14acfbb0623cff327b4a8e23a6c51478e3ff16c9a2b0f26ac9747d6ea
    Size: 20.65 MB

Asianux Server 9 for x86_64
  1. libpq-13.20-1.el9_5.i686.rpm
    MD5: c027730c41a10a1b7907abe084c7b63c
    SHA-256: 531555c74cc3c8f628822d8cbd0096bdbd039dcc6e93046909bf585ab943f1a6
    Size: 219.43 kB
  2. libpq-13.20-1.el9_5.x86_64.rpm
    MD5: dc2d325c7ed3e8879069ac4f10be1498
    SHA-256: ce732bde9ea83a0f789850ed4b7b7fdda230620ad873902ac3c7d886a42d2b00
    Size: 211.46 kB
  3. libpq-devel-13.20-1.el9_5.i686.rpm
    MD5: 91e633a44517cb0a2815bc33ee8bac51
    SHA-256: eee89a0ba4084ce65def944df6915fd779e1517613b696b0adfa1cc5bb4d4a59
    Size: 101.75 kB
  4. libpq-devel-13.20-1.el9_5.x86_64.rpm
    MD5: fc3a74f350ea40ade7884884eef054d1
    SHA-256: d6a7a2d60c3be4bb3c7ac6febbcdbba705b8401c88dbd02a19ad0ebcd2a8bf9b
    Size: 100.72 kB