postgresql:13 security update

エラータID: AXSA:2024-7390:01

リリース日: 
2024/01/15 Monday - 10:38
題名: 
postgresql:13 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- PostgreSQL の拡張スクリプト機能には、ドル記号、クォート
記号、ダブルクォート記号などを用いた引用句内で @extowner@、
@extschema@、または @extschema:...@ を使用した場合、
SQL インジェクションが可能となる問題があるため、データ
ベース上で CREATE 句の実行が可能なリモートの攻撃者により、
細工された拡張機能のインストールを介して、特権昇格、および
任意のコードの実行を可能とする脆弱性が存在します。
(CVE-2023-39417)

- PostgreSQL の特定の集計関数には、リモートの攻撃者により、
型を指定していない文字列リテラルからの値の処理を介して、
情報の漏洩を可能とする脆弱性が存在します。(CVE-2023-5868)

- PostgreSQL には、SQL の配列変数の更新処理における整数
オーバーフローの問題があるため、認証されたリモートの攻撃者
により、細工されたデータを介して、任意のコードの実行を可能
とする脆弱性が存在します。(CVE-2023-5869)

- PostgreSQL の pg_cancel_backend ロールには、認証された
リモートの攻撃者により、細工された耐性の低いノンコア拡張
機能を介して、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2023-5870)

Modularity name: postgresql
Stream name: 13

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2023-39417
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
CVE-2023-5868
A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.
CVE-2023-5869
A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.
CVE-2023-5870
A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. pgaudit-1.5.0-1.module+el8+1708+c8b3aaf1.src.rpm
    MD5: 0bb29bf8e7900c73cc9f182e9f722338
    SHA-256: 27ea6798cc80ca86e4b5303b54a36091eff94501241ad4d6c049ce79cd90e3d3
    Size: 42.60 kB
  2. pg_repack-1.4.6-3.module+el8+1708+c8b3aaf1.src.rpm
    MD5: b1c4b9ae78bbc436ffe8aa945689b7a2
    SHA-256: 4be4428fe6e6f8e7a7e266a27edc804be98ef5264c8152343c717600138e66e2
    Size: 100.99 kB
  3. postgres-decoderbufs-0.10.0-2.module+el8+1708+c8b3aaf1.src.rpm
    MD5: eaa5cf7b309d2390ab51ff3467c01c06
    SHA-256: 2e93c0ee74b25488e17332a4c8bd8960a29db8d97097b4a54fa494da95b72a16
    Size: 21.13 kB
  4. postgresql-13.13-1.module+el8+1708+c8b3aaf1.src.rpm
    MD5: 9f652d40f7e89e080f2211044a90efea
    SHA-256: ca23e241e4697028e98b83668702fa4a207b6ec9dbae19eeab54906f088bd599
    Size: 48.24 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.5.0-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 14bbbc014a5af36a58fbc236b3e87ed6
    SHA-256: 54b4db867bc73b98cd762a38c41cade39e69e4022096d85ea5e29bcf75f9ecd0
    Size: 27.03 kB
  2. pgaudit-debugsource-1.5.0-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 986c71271319373dd230936319301730
    SHA-256: c0fad58dff18e6cd9d20ddc6ce03e46e08b1d99ed2c28780bc68f3385e4812f6
    Size: 22.80 kB
  3. pg_repack-1.4.6-3.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 5a0f3a654d08d5ac34f98196ca01205a
    SHA-256: 16a870aefda6eda8ebc4b5ea532abde2b42be271c748f25a8df3bf548948cdb5
    Size: 89.53 kB
  4. pg_repack-debugsource-1.4.6-3.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 004b68fd428391e960f8d59681b18c2b
    SHA-256: eb205fe8c9c4cdbcce0c0015bcb3a45c784a97f3856a020386a83af643ffba1c
    Size: 49.69 kB
  5. postgres-decoderbufs-0.10.0-2.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: e8a1e3ddf5a6367004597b7254401348
    SHA-256: cc4253d4293b440dfff59f430544dade2c47af4a285a0f719144a7a3171e92cc
    Size: 21.90 kB
  6. postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 2b308de95cf9aa9e0c89d4bf26a56deb
    SHA-256: 61c1c7114ca1ea48ec7ffa3fbad84999d7efb8defd5848068ac11cf190979643
    Size: 16.81 kB
  7. postgresql-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: ed4c75367299a62bd91bc072145dff14
    SHA-256: 65c15f8cfe3dcb3be3d13d1a0d974312c66a17f88e15203b0987703f80584465
    Size: 1.53 MB
  8. postgresql-contrib-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 4bd1c6f20c81aeca4fc6ceb22634866f
    SHA-256: 7d49a2f52699f2fb24b4fceb7cab19b42f4fd62fb25aa668be338cebe0d8960c
    Size: 882.06 kB
  9. postgresql-debugsource-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 648c03a61d29b66d76f6dcc68af3a10f
    SHA-256: 0ef6a8711633ea307f1fcf1d1199866f382daf8fcbd4299ab5fc7a173e19355f
    Size: 17.68 MB
  10. postgresql-docs-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 478d4aebae4cc303527eebf906715f4b
    SHA-256: 56e770a9a701dc36ca3f9702e1da049defee31f08ca9207d49615069aaa25f22
    Size: 9.79 MB
  11. postgresql-plperl-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: ae541e54d59382517bf35c9d984a0a4d
    SHA-256: 2b536de389f256c04b22e96efdde466c186fa81a796dd4c5fd7c40ae4d9db127
    Size: 112.45 kB
  12. postgresql-plpython3-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 1a220dab356185ed855de3bf0d3032df
    SHA-256: fee8e77a56474933c7876a5d5c27b3a4073e685cc95349d749baeb567d1820b5
    Size: 128.97 kB
  13. postgresql-pltcl-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: a736c464cb54b4b4fb34391f467d7033
    SHA-256: 4ea3afd25c517a9d131ac0d6c929b7969b11d602fda939142b9a707649a250c3
    Size: 85.20 kB
  14. postgresql-server-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: d795d315027ed61ee02fdfcf963c6549
    SHA-256: 3b91fe68e9df3adfa7c9d838bfb9b787bcfa56353cb559e7f080e4a9252c4938
    Size: 5.60 MB
  15. postgresql-server-devel-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 403dd38a91e483f7a3696d69a00fad96
    SHA-256: a2f97e2c574ad7783a6d2b3ec469cb17cde97aa5b945bc75b1d639834067e399
    Size: 1.25 MB
  16. postgresql-static-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 28cbc2188c3c497c03fd274b5a96efa8
    SHA-256: 0ee0c97db6b01a6511b19042ffc87ea92d718e7c9fb5912281021fa47127f479
    Size: 189.55 kB
  17. postgresql-test-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 62e365dac135d2e5e35e26c85e11d22f
    SHA-256: c00dd000c3ff08e2745782723f80d95e5a1b473f52c23fb403fa45e1c6c1b38c
    Size: 2.03 MB
  18. postgresql-test-rpm-macros-13.13-1.module+el8+1708+c8b3aaf1.noarch.rpm
    MD5: f7d4aad76a845a5c13a06b6d343a402d
    SHA-256: f10143ea8da206bd4a80319970b43a0e97a9025fd1e5b4849e5213dcb11220db
    Size: 52.73 kB
  19. postgresql-upgrade-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 4706895430760189c10694eac6857a48
    SHA-256: 1814a295b64afaf23bd3b21039f2fad5d5dd90558249d4f2f93fbc07c0dba992
    Size: 4.37 MB
  20. postgresql-upgrade-devel-13.13-1.module+el8+1708+c8b3aaf1.x86_64.rpm
    MD5: 8f2bcd20a20d6b1b62bc20829ba3125b
    SHA-256: 411daf195312f674b4372993a485bd28fa376d59522f29c51ba574a85dee3e87
    Size: 1.10 MB