postgresql:13 security update

エラータID: AXSA:2025-10833:01

Release date: 
Thursday, September 4, 2025 - 16:25
Subject: 
postgresql:13 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: PostgreSQL executes arbitrary code in restore operation (CVE-2025-8715)
* postgresql: PostgreSQL code execution in restore operation (CVE-2025-8714)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-8714
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
CVE-2025-8715
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

Modularity name: "postgresql"
Stream name: "13"

Solution: 

Update packages.

CVEs: 
CVE-2025-8714
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
CVE-2025-8715
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
Additional Info: 

N/A

Download: 

SRPMS
  1. pgaudit-1.5.0-1.module+el8+1902+8983f0b6.src.rpm
    MD5: 282bc27e2590f72f3103c50078bc319f
    SHA-256: e2c7d37eb20cd5a2967cc05f3b4d848a9c2db9a0062dee18ffb6f4993cf65632
    Size: 42.60 kB
  2. pg_repack-1.4.6-3.module+el8+1902+8983f0b6.src.rpm
    MD5: 727ec32a2b2e7bbacba848d129b8c21f
    SHA-256: 388d81dfc1a8283766006bc99acba42901ea01b2303c95fe15a565eb6e20cd0d
    Size: 100.99 kB
  3. postgres-decoderbufs-0.10.0-2.module+el8+1902+8983f0b6.src.rpm
    MD5: 99ace4bd1a107ebb6453266fb79ea5ea
    SHA-256: 2ebd67a97f24872e0542ef42065057aa43a651f476f4e62bebd6294d531d8a40
    Size: 21.13 kB
  4. postgresql-13.22-1.module+el8+1902+8983f0b6.src.rpm
    MD5: a466432770f951043273828b6222f567
    SHA-256: f35c2cce0c9854066d2af60b864e31c14659b91912bd288caa6e629e0f2fcc5e
    Size: 48.95 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.5.0-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: f7f76645f3cbfd7f8922420dc3bbb076
    SHA-256: 9f587b6f65557bf12fd8f29cb059e9dc2ea8c6a7d50745cf8ceed152b47c9f4d
    Size: 27.03 kB
  2. pgaudit-debugsource-1.5.0-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: ec0cc940699dc489004e5301aa55ab30
    SHA-256: 01ceb148597738e82ca44bbb8c1dcccce859bd95fbdcd2bdcc982a5bfa6ab03f
    Size: 22.80 kB
  3. pg_repack-1.4.6-3.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 5077dcca11dfe0ca30a3247c39cceada
    SHA-256: 597db2b0d03561b9bf7575ba8c58bb58ab8fbe1ac1b234d1b519e25de92a7f80
    Size: 89.70 kB
  4. pg_repack-debugsource-1.4.6-3.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 933df00f86e9e4407d65e01ea623209c
    SHA-256: aed93b537f9497e9eeafb55da80482b16a427a94df0caeb7693e3acd72597f72
    Size: 49.69 kB
  5. postgres-decoderbufs-0.10.0-2.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 2b5e457bc58305ca8db7578ff0e235e1
    SHA-256: d4e6b56668e093d1e89bedb7ccb891ee7a0f4d700ada48084b46db0883934201
    Size: 21.91 kB
  6. postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: f28289f440b033b68c6cfc26066c0cb3
    SHA-256: cb3242b24fb1c3af7af3f02f727bd1fb2e6d8a8e9c7cf5e72cd5f07aa13bf940
    Size: 16.81 kB
  7. postgresql-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 29496c1eda0df1f7a5df08daea06b6d1
    SHA-256: bcaec7596b236c6f8fc720b175a8b0bc7e2be1572d4c9a4efc6c14c36b6add93
    Size: 1.57 MB
  8. postgresql-contrib-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 901903c51c051d24c60e76668aa77d83
    SHA-256: c0a7c34a4143e24f8ba3fc89ddb444787c8cc117ec4955ff099145b1b1153465
    Size: 883.64 kB
  9. postgresql-debugsource-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: cdede1087d2cdaf386a0c81981244375
    SHA-256: 6842dcdbce77e73ef61485f2c067c73e85006f46c7a8aa88f268a8c7b9b86872
    Size: 17.89 MB
  10. postgresql-docs-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 094b1893d9443854d4622dafda6986d8
    SHA-256: 2696ffd3b1e2ebc563b32316163c235af417f244761cbf9bc90e066fb1074586
    Size: 9.95 MB
  11. postgresql-plperl-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 88d21cedbde6709304799d9402a8c126
    SHA-256: 53efc805a58c01a37d6b94b45b36f08bca9fb2e846bd16dbbe514dc41fc66a24
    Size: 112.94 kB
  12. postgresql-plpython3-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 8d38d20de8ff7234f22ad4cb23bb0de4
    SHA-256: 299c1aaabf4fe7133e0fb4c65a3dc8fbea110c882d4b04ce1820351808f079c4
    Size: 129.28 kB
  13. postgresql-pltcl-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 6c77d337a517e2136b40800f46079562
    SHA-256: d3ee38fc0da3c215faa8febadb820d42bfa349b8e66228124fd5c46f84c6c97f
    Size: 85.81 kB
  14. postgresql-server-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 3b3530785edf9de63f92f8291b814d50
    SHA-256: a6f8a44960467965497fbad01d1c46539e72ef57585b8beafebf713c9c48c3c2
    Size: 5.63 MB
  15. postgresql-server-devel-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 44c860ba82810250450035b08be53c38
    SHA-256: 0a267319d147dd7a4fc0170bcff4ae1758d0fd55a8ebc0fb4ac1ffde939910ff
    Size: 1.26 MB
  16. postgresql-static-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 660c000d9556ccf10f3698e1284453bf
    SHA-256: fa6430d0b1fed4c19894ac0138fa61c569100fea988036f45c52bfe8e03e40e9
    Size: 190.62 kB
  17. postgresql-test-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 6b33693eb3f29335ff747782f4f42f11
    SHA-256: 6341d05b5ab495bc54064940e422162e0e9ee1280df88a178e8ada9f75ddf9d7
    Size: 2.05 MB
  18. postgresql-test-rpm-macros-13.22-1.module+el8+1902+8983f0b6.noarch.rpm
    MD5: f54acac45e68dbb5a89d401eb3cba4c4
    SHA-256: 71985e0a3688e251b6cb9248d2846fd8cc209ba8cb59be900bd4eff2d7bceee5
    Size: 53.14 kB
  19. postgresql-upgrade-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: a16a3adc91e22c2a4d59beaaa319e7d7
    SHA-256: f3704d55693e241ec496f27fcec96afbd02ff7f28aabecfc6b29e90bb6811c7f
    Size: 4.39 MB
  20. postgresql-upgrade-devel-13.22-1.module+el8+1902+8983f0b6.x86_64.rpm
    MD5: 01b17cdb50003b68329e99bfee99efd4
    SHA-256: 284c4ff52dafa78e43019d133ff18584daa18d36a45746e8561ad4922e212b90
    Size: 1.18 MB