postgresql-13.14-1.el9_3
エラータID: AXSA:2024-7559:01
リリース日:
2024/02/29 Thursday - 11:21
題名:
postgresql-13.14-1.el9_3
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQL には、REFRESH MATERIALIZED VIEW
CONCURRENTLY 句の実行後、権限の削除が遅れてしまう
問題があるため、リモートの攻撃者により、細工された
マテリアライズドビュー上でREFRESH MATERIALIZED
VIEW CONCURRENTLY 句の実行を誘導されることを
介して、任意の SQL 関数の実行を可能とする脆弱性が
存在します。(CVE-2024-0985)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
追加情報:
N/A
ダウンロード:
SRPMS
- postgresql-13.14-1.el9_3.src.rpm
MD5: 08152d8483d14a83ea3dd841cddd7e0a
SHA-256: f2056a81d4e1deab54a108525e9d14984003faa3a3664590ce4277d58125aae3
Size: 48.54 MB
Asianux Server 9 for x86_64
- postgresql-13.14-1.el9_3.x86_64.rpm
MD5: 11a996e136abbd524da71afb81584426
SHA-256: 13f882ab65813aacbdb55c0a79131d9e121767a4d01ea614d8a3094f203fbbc3
Size: 1.58 MB - postgresql-contrib-13.14-1.el9_3.x86_64.rpm
MD5: b76c65b772a835bca9b4e13b02dfcb16
SHA-256: 81495e135ba856da39f2f298c42fa2a8d1733ba622496aa56160b9fcda3789dc
Size: 884.73 kB - postgresql-docs-13.14-1.el9_3.x86_64.rpm
MD5: 4d4a2f4b919940f8bbe917f5c88c7ae4
SHA-256: bae922ee17e48d89841795bc35b5cee7fc46c63f7155d478d5f89115826ee36c
Size: 9.53 MB - postgresql-plperl-13.14-1.el9_3.x86_64.rpm
MD5: 761379bf15644064fbb8c2c6e3ff74fa
SHA-256: da0d91ea75539b141e4c7ecf1454639337f35d5d0733af45c835eeb68bce3c23
Size: 74.29 kB - postgresql-plpython3-13.14-1.el9_3.x86_64.rpm
MD5: 9c0946f942b2ae33570b75462d9117a2
SHA-256: 39f0cc0c069704dc4f0e74522465a5ff1b57a65bf64ddc0066dd87fa9cb14416
Size: 93.57 kB - postgresql-pltcl-13.14-1.el9_3.x86_64.rpm
MD5: 677baf26eab464345853ecd541f93a58
SHA-256: 440e6a7c25c8a23af85b216f6941ff336ae3592e8146c419c33f16e5d9cd32f5
Size: 48.12 kB - postgresql-private-devel-13.14-1.el9_3.x86_64.rpm
MD5: c2059c71bb078c00b5bba0c798a37577
SHA-256: dfab0fda0a3b398479a8cef53d915757772c3568c95b48df2522325b0d23d929
Size: 62.73 kB - postgresql-private-libs-13.14-1.el9_3.x86_64.rpm
MD5: 10a39d4d1716385cd369891badd50d5e
SHA-256: 6f616ce9456f610410953c85f9a1a687e8103f116ec9c5e3c7f50dc7672f2a2f
Size: 132.14 kB - postgresql-server-13.14-1.el9_3.x86_64.rpm
MD5: 8d6264ef2e18f590b286c74f49fe2387
SHA-256: 8e4bfbee0fbc2cfadca9fa9fe92dabe0b815799f704cc9a70024f3ee8eda9dba
Size: 5.76 MB - postgresql-server-devel-13.14-1.el9_3.x86_64.rpm
MD5: 5a81674e8f033df67b64d9e94c1b24ff
SHA-256: 3c609df8e3676c7c9c6ba628089a07a4543ad2f3811d75e3f641f313744e580d
Size: 1.30 MB - postgresql-static-13.14-1.el9_3.x86_64.rpm
MD5: 79460897965660b8c9aeb866e223b27e
SHA-256: 01741996b87e3a25098ce61958c35a7be6a1d47348d8ed934aacb68dd26b28fb
Size: 143.96 kB - postgresql-test-13.14-1.el9_3.x86_64.rpm
MD5: e1689acbc1d9df6f13c39c0a4c41fb32
SHA-256: ee4a1e939a86ecb22ee5cbed941319b669900a9fee04988ee24c7b0bf8aecbbd
Size: 1.52 MB - postgresql-upgrade-13.14-1.el9_3.x86_64.rpm
MD5: 3458957f31870d60f5f3c1b46494a3ce
SHA-256: 384924d1f56642918820e8f711e4edc18a6dc2e4039e462abf060071b1340fa2
Size: 4.60 MB - postgresql-upgrade-devel-13.14-1.el9_3.x86_64.rpm
MD5: 6c1167e2dd7e3e93a96ff6ece2be3306
SHA-256: b19239aba1217714ad35027fe5c97eadca7add2bd7641784e69ad273fa438349
Size: 1.20 MB