rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7
エラータID: AXSA:2020-947:01
リリース日:
2020/11/24 Tuesday - 13:43
題名:
rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQL には、ロジカルレプリケーションの際に search_path を
正しくサニタイズしない問題があり、認証された攻撃者がレプリケーションで
使用されるユーザーのコンテキストで任意の SQL コマンドを実行するために、
CVE-2018-1058 と似た攻撃をすることの出来る脆弱性があります。(CVE-2020-14349)
- PostgreSQL の拡張機能には、インストールスクリプトで search_path を
安全に利用しない問題があり、拡張機能のインストールや更新の際に、十分な
権限を持った攻撃者が管理者に巧妙に細工されたスクリプトを実行させることの
出来る脆弱性があります。(CVE-2020-14350)
- PostgreSQL の "ALTER ... DEPENDS ON EXTENSION" 文には、サブコマンドが
承認チェックを行わない問題があり、認証された攻撃者が特定の設定の場合に
関数やトリガなどのオブジェクトを削除し、データベースの破損を引き起こすことの
出来る脆弱性があります。(CVE-2020-1720)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-14349
It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.
It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.
CVE-2020-14350
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
CVE-2020-1720
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.
追加情報:
N/A
ダウンロード:
SRPMS
- rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7.src.rpm
MD5: 8cb87a66e440c248df688a8f875d7b32
SHA-256: 4849833761655c695a5aaf74159d155fd4f803ccd208bff360a4f9be38242314
Size: 27.25 MB
Asianux Server 7 for x86_64
- rh-postgresql12-postgresql-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 7e420af67dce1a6f8fd2d04396cdedc4
SHA-256: b141595458e24b4255e474a8bdea0fced3f281c2a8729fb2d03fc2910714e20a
Size: 1.45 MB - rh-postgresql12-postgresql-contrib-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: c0ea4ce216fdd87a283ab0f2af15c25c
SHA-256: 78572d156adec786371f668af4ab8463760106d73c919cc2c634d9905f14f485
Size: 826.22 kB - rh-postgresql12-postgresql-contrib-syspaths-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 395094ab94c5b0a1034391c241caa9d0
SHA-256: cdcab6fa1cec760fc3d9796143629f137c0980e81f51cba3f1aa79fc5639e73e
Size: 41.33 kB - rh-postgresql12-postgresql-devel-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 575ff40d39dd6aee1b11e6df08e3fcbc
SHA-256: a8ab3f6132bf28a40fa0015a1fbaa7bab8a74b5455603754a07fbec140f4e1fe
Size: 1.36 MB - rh-postgresql12-postgresql-docs-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 0ac61aa376d311e8680d17e83ca7f5ae
SHA-256: 86835657775e5229287933556f675c3a279af37c3e2114cc7fd9526cbfb10c01
Size: 9.39 MB - rh-postgresql12-postgresql-libs-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: c10b5b3456a6dab1a8bccd78c478ac99
SHA-256: 2fd6527a2c3d743af25617c941f3fd3f1f7472110a3ac93942e507af25106d0b
Size: 307.40 kB - rh-postgresql12-postgresql-plperl-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 98f7843780331d1285434796de90b662
SHA-256: 541a6e3512cb7e78aab6c347def3512fb0623648a21f91df51002572586d32b5
Size: 93.64 kB - rh-postgresql12-postgresql-plpython-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 5afe5833e057a870c7a564235bf1aee8
SHA-256: 974f486042f1475bf15a257c97d356d32349b5e733f126c5ae1dbc8a751bfec6
Size: 116.02 kB - rh-postgresql12-postgresql-pltcl-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 22a5040c999e0e5c5c70ac98ac838dc0
SHA-256: 8553050d4e1fb0db927d3e23c3dffe7407982a11011b0d2b198184f9f416c6a5
Size: 72.19 kB - rh-postgresql12-postgresql-server-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 5a9f1cf62b3fcbeb5bf85a1a998c0d42
SHA-256: 1d447281d8038c577d90193061d823ee5979b585905dc7fb031b84ae8ac68a5d
Size: 5.40 MB - rh-postgresql12-postgresql-server-syspaths-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: f229a48e7e853ebb4eb062688dc93ee9
SHA-256: 2bb564ef779015959803175dc65529b2996bc1b6b2a2ac7c4a268ce713600b82
Size: 43.14 kB - rh-postgresql12-postgresql-static-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: c343efb5e6d21c7cc4ac052e1c73fb54
SHA-256: 28ad746d9423c1bb276da510c790392f3108cec3c237cf4b6fa6ddc0b7d2d1db
Size: 152.12 kB - rh-postgresql12-postgresql-syspaths-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: 08e62baaec9e23a4a6023cc6b3f37d50
SHA-256: d607c648c070ae8f51d94f2adc8a31a590908eb56de2239dff87205c9f1cc575
Size: 42.64 kB - rh-postgresql12-postgresql-test-12.4-1.0.1.el7.AXS7.x86_64.rpm
MD5: cb29c6b6d07da51f28a30ea076ba873d
SHA-256: b9c219ce36760b58ade3eee0ec6ef79b12ff96ab22ad04fd9c37950b6d591afb
Size: 1.89 MB
English