postgresql:15 security update

エラータID: AXSA:2024-8739:01

リリース日: 
2024/08/30 Friday - 18:32
題名: 
postgresql:15 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- PostgreSQL の pg_stats_ext、pg_stats_ext_exprs 組み込み
ビューには、設定されている権限の誤りに起因してデータ
ベースの統計値を不正に読み取れてしまう問題があるため、
リモートの攻撃者により、CREATE STATISTICS SQL 句の
実行を介して、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2024-4317)

- PostgredSQL の pg_dump コマンドには、Time-of-check
Time-of-use (TOCTOU) レースコンディンションに起因して
ビューまたは外部テーブルを持つ別のリレーションタイプに
置換できてしまう問題があるため、リモートの攻撃者により、
任意の SQL 関数の実行を可能とする脆弱性が存在します。
(CVE-2024-7348)

Modularity name: postgresql
Stream name: 15

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-4317
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
CVE-2024-7348
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. pgaudit-1.7.0-1.module+el8+1802+bfea2e18.src.rpm
    MD5: 322b1f4d7f5e970709cac465d2d93155
    SHA-256: dab0e5bcd43b97f0a9e3fefcbe36ccf7158f394ed1d5eb95ffd09c155ab67fb0
    Size: 52.57 kB
  2. pg_repack-1.4.8-1.module+el8+1802+bfea2e18.src.rpm
    MD5: c70bf6cad6b10ca615194879cd2e9ec9
    SHA-256: 3236e0e50b3271279081472e7e4614c138d8897efddee0976cb019f1ffa5e2f5
    Size: 102.55 kB
  3. postgres-decoderbufs-1.9.7-1.Final.module+el8+1802+bfea2e18.src.rpm
    MD5: e9b33f4f3c51a0fcb87db7c4f03d8f42
    SHA-256: 0f40d805c40bf4a6cf37c5e840b6f9298766665b8a947e72637d07409e47f0ab
    Size: 23.30 kB
  4. postgresql-15.8-1.module+el8+1802+bfea2e18.src.rpm
    MD5: f2bde0670eee5ee00487937c906d3cd5
    SHA-256: c33979f3252238ec394d8cf49416191423b9851cbd8cfa211aead0b14c8027d3
    Size: 46.96 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.7.0-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 8ec482d9df322f64222e02cb6e208ef6
    SHA-256: a07aaa6f0a6fd9d889c081ba34a79b0de0f7063184f134da075ecec911c6d5cb
    Size: 28.33 kB
  2. pgaudit-debugsource-1.7.0-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 6c53e160ec67d7f911ebae664f5d82b6
    SHA-256: 5561949ce06fc26b2a03b826991bd1a66232bb42c2da6346621409acad9640e6
    Size: 24.12 kB
  3. pg_repack-1.4.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: cd9ff93a1e1f3ee148ed5dcc97599a17
    SHA-256: da27c893db5fa36d43af00f283590c58b99489efe336500fde23b684a5537c97
    Size: 94.12 kB
  4. pg_repack-debugsource-1.4.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 635f246e43ef91c15a1633a85e7c8c93
    SHA-256: d0d25fcde45ed9a3d8d50fe6c58bf85ffdfcd51263d27e130a7cddcd8b805ac2
    Size: 50.55 kB
  5. postgres-decoderbufs-1.9.7-1.Final.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 7263b7465c28ab2528a7e035d9b062ea
    SHA-256: 582b53f9a3ddf8a5b96df29ed9488008de4e7648e0cc8a6f25a149ca34c9c838
    Size: 23.83 kB
  6. postgres-decoderbufs-debugsource-1.9.7-1.Final.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: a3da617ce99384f38b9f5425005e085b
    SHA-256: feaa11fb81d7bbde1deb30f1f5bee63d9171ba296f8d5dda59b28aa6e5c808e3
    Size: 18.27 kB
  7. postgresql-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: b68ddef6232880e0a85b97d124d22bec
    SHA-256: f36d69f5a97f7f5e8beedaeb4a1b9c9b4e3fa30d6b7b1dc4804461502290f8d9
    Size: 1.69 MB
  8. postgresql-contrib-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 96b909d60223867082c31b4280b46d06
    SHA-256: 958aafd27553ac5328e0398c3e616a27c04fb9ffa3c24caceca6fe368c7a6dce
    Size: 960.17 kB
  9. postgresql-debugsource-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 31ff53e05fccbbbe994fcdafe5a08de9
    SHA-256: 3b0c404bc01c168110c7494233e1cec1f22a5f6f2f1570e744961f760574fb9a
    Size: 18.88 MB
  10. postgresql-docs-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: ea0f5bbd262cb8a35f0042d75c081f34
    SHA-256: 1994ab9163512f113c9002be44ceafe24a12267a3a8d433de730a384c7df3b11
    Size: 6.58 MB
  11. postgresql-plperl-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 362712127a07d30d4c26f3545b0b8515
    SHA-256: d9089af648e6914df94df9547eff449ca2544709db4b5360a36618f813637cf3
    Size: 72.50 kB
  12. postgresql-plpython3-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 4838dc98bf18406902d33b036228163b
    SHA-256: 778ca1c262639b361921a1fab0df71cad9f09b93393fac124355efaac9039428
    Size: 92.10 kB
  13. postgresql-pltcl-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 447caea22b5f57bd677462e4c49f4b9a
    SHA-256: 314b2946cdcfb972c555dca54d17a229ecd24f97a111d9a97b109183312f29d9
    Size: 44.98 kB
  14. postgresql-private-devel-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 4c29188cb02622f23a2d442a1a2874d1
    SHA-256: ca8fe3e6f25cfa19c4fdf5653fe73e03bd7f91a8ff87a901eed68720eff2ee0f
    Size: 63.92 kB
  15. postgresql-private-libs-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 26f37e1bab2d1785189fc9016d1cc64e
    SHA-256: 710a263dbe0e789273dde601823b7be0a47f13d405e6b2f843670acca073fe9b
    Size: 131.92 kB
  16. postgresql-server-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: 69ac8335b32f8e463d1ba2f2e7643f87
    SHA-256: fd65f9239feb638e8bc8570a228c45061883306da1a8f22aaa46cbbc7da7b2b6
    Size: 6.13 MB
  17. postgresql-server-devel-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: d6cb9044106bb9e172c6e342e83be49c
    SHA-256: 5251c41696433c0c3961f8dcf129811410adad770b0058addaba4f895c0fa721
    Size: 1.36 MB
  18. postgresql-static-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: eafb0f5017423a493c4ec319ffb99917
    SHA-256: 51783c4ebcd62848dc33f2a84f42f835510e56ab4c28f154546d8e95d788cd8b
    Size: 152.76 kB
  19. postgresql-test-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: d76f10049978a45832a195d78d8fc482
    SHA-256: 6640cfcaa8fafb9cb3dcc3d519d5c6be9a501a00cc7744ea6f2bf47282f68211
    Size: 2.15 MB
  20. postgresql-test-rpm-macros-15.8-1.module+el8+1802+bfea2e18.noarch.rpm
    MD5: d54f160e585c145ab371d969b072c779
    SHA-256: 75d6cbd84bbf80778f4f762a78847e38efda9391d49222a10284332882832325
    Size: 9.73 kB
  21. postgresql-upgrade-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: f5288db9b7253a2c77bbc6a954df1983
    SHA-256: 60c3e84acdd85851db18021a8199345981c98468c29aca17de46708931935457
    Size: 4.49 MB
  22. postgresql-upgrade-devel-15.8-1.module+el8+1802+bfea2e18.x86_64.rpm
    MD5: a7cfa26100b04b49f15090fdc824cdc3
    SHA-256: 8e52984a40a35bd595cd128ffaef546799632001ff6109a017cd60c51d9182a0
    Size: 1.17 MB