rh-postgresql96-postgresql-9.6.19-1.el7

エラータID: AXSA:2020-775:01

リリース日: 
2020/10/22 Thursday - 07:08
題名: 
rh-postgresql96-postgresql-9.6.19-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-postgresql96-postgresql (9.6.19).

Security Fix(es):

* postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution (CVE-2019-10208)

* postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350)

* postgresql: Selectivity estimators bypass row security policies (CVE-2019-10130)

* postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-10130
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
CVE-2019-10208
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
CVE-2020-14350
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
CVE-2020-1720
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

解決策: 

Update packages.

CVE: 
CVE-2019-10130
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
CVE-2019-10208
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
CVE-2020-14350
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
CVE-2020-1720
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-postgresql96-postgresql-9.6.19-1.el7.src.rpm
    MD5: ec7353721ee82e3b6f8d2efbbe1e5b42
    SHA-256: 74499f21dfa22f4c1d6232f4f3eba6adfe349fc799261e7fa808194ef08e4019
    Size: 24.32 MB

Asianux Server 7 for x86_64
  1. rh-postgresql96-postgresql-9.6.19-1.el7.x86_64.rpm
    MD5: 2f00cbfc79b2bd1bced450ed9eddabd8
    SHA-256: c068c9e926f35c551b43d9aff61174042a91739acf75e98fc1a30117fd0682c9
    Size: 1.35 MB
  2. rh-postgresql96-postgresql-contrib-9.6.19-1.el7.x86_64.rpm
    MD5: f6b8795a7d8ab8c3e40e451a2f822e87
    SHA-256: a45da81831e959d534793f64cc12ae913a17c56a53b46bb136b4d02fd4740adb
    Size: 723.84 kB
  3. rh-postgresql96-postgresql-contrib-syspaths-9.6.19-1.el7.x86_64.rpm
    MD5: 8c42b7ca740108e7d8d17f9be237f1d1
    SHA-256: 678fef6b97ed9997785161ec0728c9a48cb3118365982732519edac66c3876f3
    Size: 40.81 kB
  4. rh-postgresql96-postgresql-devel-9.6.19-1.el7.x86_64.rpm
    MD5: 2619b8bf6042cb8b045c80901a37e90f
    SHA-256: 4effac16cade2c33a648912a29113e2c33ce587954ed8f19750b394e9952f445
    Size: 1.19 MB
  5. rh-postgresql96-postgresql-docs-9.6.19-1.el7.x86_64.rpm
    MD5: 1ef80aed0854c165f4a751a72934fc96
    SHA-256: 4c561e55f317b524361c8c8a7ffc7752a88cdde5fdf260d0d125381c4cc66732
    Size: 8.30 MB
  6. rh-postgresql96-postgresql-libs-9.6.19-1.el7.x86_64.rpm
    MD5: aa3f06f9c013a0631860934df41f54bc
    SHA-256: ed99c663e6a6f646b13e9870c29d6fe4a87f9941b2f9f2ff219efb95ce7ca073
    Size: 254.38 kB
  7. rh-postgresql96-postgresql-plperl-9.6.19-1.el7.x86_64.rpm
    MD5: 28a5672b8dee69271b4b4193a2415a4e
    SHA-256: 0205782e42655c607c8271fd089b2d126f0799d24546e889b0ebb27b357d3cd9
    Size: 90.38 kB
  8. rh-postgresql96-postgresql-plpython-9.6.19-1.el7.x86_64.rpm
    MD5: 3d4e4267003b6dd844a30330f776d688
    SHA-256: 4f34f7df92b2dea5eb96dcba4dbcd0d9db503db63f7353f81cab90769eb7bb28
    Size: 108.07 kB
  9. rh-postgresql96-postgresql-pltcl-9.6.19-1.el7.x86_64.rpm
    MD5: 436f91e725c5f8e10ceeada5f8083de1
    SHA-256: 36b62c10b6d9494633c6849667cea18dfe02017c0b50af007f74c5ecac709baf
    Size: 72.06 kB
  10. rh-postgresql96-postgresql-server-9.6.19-1.el7.x86_64.rpm
    MD5: e035d6c7119e5050d147d4c81ab243ea
    SHA-256: 5812960677c39548ba093982395a94ad2419ba927822fd55552b48c2f403e2c4
    Size: 4.82 MB
  11. rh-postgresql96-postgresql-server-syspaths-9.6.19-1.el7.x86_64.rpm
    MD5: 40331db4bc6fa79d19facf25204ce585
    SHA-256: 84cf4d1af8c03bac2774e08a13405f892f8abe7b3fa76f8e1bdad6e7fa9d7401
    Size: 42.29 kB
  12. rh-postgresql96-postgresql-static-9.6.19-1.el7.x86_64.rpm
    MD5: d4e50276f1f605970d97559234be9683
    SHA-256: 6bef39a7524f165fbbed2ad8f06de2e2471443d4e3ca43b03cdca4e999c1b1f3
    Size: 72.67 kB
  13. rh-postgresql96-postgresql-syspaths-9.6.19-1.el7.x86_64.rpm
    MD5: 68f26dc13743790bcb74836289fe1485
    SHA-256: 6dd0ebabdaa30f46c4e69785da26497d91a3ea629cf336fe486e38f520bdc33f
    Size: 42.70 kB
  14. rh-postgresql96-postgresql-test-9.6.19-1.el7.x86_64.rpm
    MD5: 026fadf7b422feb57005903bbf1ca5cc
    SHA-256: 3680bca0b1dd66d38c9c28e5a36d89ac8e70ff4477c8af8f03dddba94f203b78
    Size: 1.54 MB