libpq-13.20-1.el8_10

エラータID: AXSA:2025-9707:02

Release date: 
Wednesday, February 26, 2025 - 10:47
Subject: 
libpq-13.20-1.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The libpq package provides the PostgreSQL client library, which allows client programs to connect to PostgreSQL servers.

Security Fix(es):

* postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation (CVE-2025-1094)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

Solution: 

Update packages.

CVEs: 
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Additional Info: 

N/A

Download: 

SRPMS
  1. libpq-13.20-1.el8_10.src.rpm
    MD5: ddd2f526de76e0ebe38d4332fac0500e
    SHA-256: 8b9202130461e2b588156b8f6f8f5912efe766ee7595c75b7e6db6a3a3e54b96
    Size: 20.65 MB

Asianux Server 8 for x86_64
  1. libpq-13.20-1.el8_10.i686.rpm
    MD5: d31996c3e551385a34cae00c862b8469
    SHA-256: 1833f7bc062e17d29dd0377753d93211dcce7c0434ffc37da5f4515e97913fbd
    Size: 208.45 kB
  2. libpq-13.20-1.el8_10.x86_64.rpm
    MD5: 19d33c1e62fd481b9db5a4ebf78585ef
    SHA-256: fd4267d40ad4ca151b1c1d34c3267c1e24f4646b1a636528a9e23be98bc06ac8
    Size: 198.12 kB
  3. libpq-devel-13.20-1.el8_10.i686.rpm
    MD5: 836230c60e4a4ba76297d36b7f22bd7c
    SHA-256: 347002f02eafb30beade155e20b87a60073b8f05f6f0b19880c1e7a1863bec9d
    Size: 99.09 kB
  4. libpq-devel-13.20-1.el8_10.x86_64.rpm
    MD5: dff78aed357e359f2403338569a5c2fd
    SHA-256: e352b20065a280b92f8532e757a2e13bb52a537556ca8483abcc4990ae6d8214
    Size: 97.21 kB