postgresql:16 security update

エラータID: AXSA:2024-8740:01

リリース日: 
2024/08/30 Friday - 19:04
題名: 
postgresql:16 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- PostgreSQL の pg_stats_ext、pg_stats_ext_exprs 組み込み
ビューには、設定されている権限の誤りに起因してデータ
ベースの統計値を不正に読み取れてしまう問題があるため、
リモートの攻撃者により、CREATE STATISTICS SQL 句の
実行を介して、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2024-4317)

- PostgredSQL の pg_dump コマンドには、Time-of-check
Time-of-use (TOCTOU) レースコンディンションに起因して
ビューまたは外部テーブルを持つ別のリレーションタイプに
置換できてしまう問題があるため、リモートの攻撃者により、
任意の SQL 関数の実行を可能とする脆弱性が存在します。
(CVE-2024-7348)

Modularity name: postgresql
Stream name: 16

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-4317
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
CVE-2024-7348
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. pgaudit-16.0-1.module+el8+1803+7f6abfc3.src.rpm
    MD5: 30c1f8305b7b0141c229720546090c2f
    SHA-256: 31c64eb162e0623f7f78981a9a635559abd8e042ef4c02fa38212fbb37052fe1
    Size: 52.51 kB
  2. pg_repack-1.4.8-1.module+el8+1803+7f6abfc3.src.rpm
    MD5: 4e176ec9df167a134d5281596d29b0d4
    SHA-256: bc7d5f5b0cd51d9f130d5b534e857ebf6891bc543b2c2cfcfd55be27ea7317e0
    Size: 101.38 kB
  3. postgres-decoderbufs-2.4.0-1.Final.module+el8+1803+7f6abfc3.src.rpm
    MD5: 7a50c8aab7474416c22e93a42f9892ca
    SHA-256: 4d48ac6f0dd859b94c8c50c51faecb65e96ee40e238330091ce05acbb7dece88
    Size: 21.11 kB
  4. postgresql-16.4-1.module+el8+1803+7f6abfc3.src.rpm
    MD5: a6a11ba938f893f817fbcad479d416e8
    SHA-256: e41c545245813cef811df7c32e06ea54c439ef16c2f5c12ba2a022449841d710
    Size: 45.64 MB

Asianux Server 8 for x86_64
  1. pgaudit-16.0-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 0e5bebd9ebc3307ed2d0c2249cfe2845
    SHA-256: 56241ce0047fcadd8c865fb83e6868f2d21dd8ef2371d0a4011f9cd3fbe7b127
    Size: 27.44 kB
  2. pgaudit-debugsource-16.0-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: e3ca1fbfddfaceb297070a65e76adc29
    SHA-256: 06ccd0ab20543120afbc61c96fb8dd78176dcbec5cb71bf8ccc9b55bb95bfccb
    Size: 23.57 kB
  3. pg_repack-1.4.8-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 2e38bf31a0aafb99576969618498e756
    SHA-256: b7d6942877cef98fb54f74eeb65e168012c88c4b2d80aa8043ec4167b679a7ad
    Size: 93.23 kB
  4. pg_repack-debugsource-1.4.8-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 588dd335cdb2070548195ce5c841ee66
    SHA-256: fd9fb7538471a8f7bdde7422d19fd98049e1cc3bbec7632ae651912dda04a534
    Size: 49.78 kB
  5. postgres-decoderbufs-2.4.0-1.Final.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 60c8d10b3c5d7cd9343b653a44b389d5
    SHA-256: af31a3adc91e4bda6a47701e4e935525d62f9069addb8728afa5fa2a39dcd2e0
    Size: 22.13 kB
  6. postgres-decoderbufs-debugsource-2.4.0-1.Final.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 5bbc6635d0e5e39fe605ce733aa21a45
    SHA-256: f159dd7aa0c70c442fcf05c29aca0ead6c90e2753fd6e0913d778decb35ad5c1
    Size: 16.73 kB
  7. postgresql-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: f9ff1d533c39ccc22f81b75f1a2eba70
    SHA-256: 8255d6c41e2a39608f3764a3eb6a2713d4138d3a36b44f4d5ec8b5345abc3841
    Size: 1.91 MB
  8. postgresql-contrib-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: d8adf79886576147f6af4e31f49468e4
    SHA-256: 319ad9d9bb9228a13418b447aac177b91b99e2d16ff1101bb59856140a447363
    Size: 0.97 MB
  9. postgresql-debugsource-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: af2d14f6e6ac362483b55d43d8391366
    SHA-256: bf6fb616abb8b0dc98a10fbbefc039063425009b862eeff51066666d34636ded
    Size: 19.80 MB
  10. postgresql-docs-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: f0549099432bc24db1dba99ca55a84a6
    SHA-256: c84016287a09578a144857495d9ed334dc49b74080b6259c1f262756455ea0e3
    Size: 2.47 MB
  11. postgresql-plperl-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 30f3de77efa23db9fe78b450e92c0da2
    SHA-256: 4aa66d7a968539fac3b7dc7632a063bbcd4a6dae528bffa7e6164fe091c6b454
    Size: 74.71 kB
  12. postgresql-plpython3-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: d0d254e7bd1811058ccbb6604d835c94
    SHA-256: 25a8773ca207dc2fefe14c2e2a2d3617e68f0c06d858f855a1e0f97c77afc858
    Size: 93.45 kB
  13. postgresql-pltcl-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 9c12f4d06a2e66e286d71b40a55168d7
    SHA-256: 80b1526faafae49ecdc27cc32656a25d4cbdbbc3b792f0d3ad37dbf6e6dd633c
    Size: 46.14 kB
  14. postgresql-private-devel-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 6dd489e1bd65a12cbb37e2bb2fca0b40
    SHA-256: 0f23c98e9d3ddd284aac63684c485041d912968116f4f540b4e347696eecd454
    Size: 62.79 kB
  15. postgresql-private-libs-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 6469bab8478be78ee536cdb79f31abfb
    SHA-256: 269ab1c94a564df8116a51217637efb567633c7a1f8683d5f90aea8f5c3f12e3
    Size: 134.87 kB
  16. postgresql-server-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: b4f7bf61cb6390a6c66833444bd68f11
    SHA-256: c63e4b6895a99ef320257fd54d8c5de2c0691b6e21785246b915bf0e7ea4ef6a
    Size: 6.82 MB
  17. postgresql-server-devel-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: e5897fba6541b97e2a5f75cbc1b90ba5
    SHA-256: e08af8b5a066980454ac5ce3b7836380ce4f4de68c2cc55e0468d98c295b0f4e
    Size: 1.40 MB
  18. postgresql-static-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 1e1f29dc2ecd8e2b08cf84807eae2976
    SHA-256: 02c9181df6408f9c26c8a537b41a1ed628d18e95019ce9a6b9c9f0ea70615669
    Size: 155.21 kB
  19. postgresql-test-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 99a719d837f9e1e4602dfd0fec46749d
    SHA-256: ac4cb69d15c42890086f2b321078a5ea87952419beb13e68dae9f5f177ce9ef7
    Size: 2.22 MB
  20. postgresql-test-rpm-macros-16.4-1.module+el8+1803+7f6abfc3.noarch.rpm
    MD5: 95c915966f72e52cf111930adbd40061
    SHA-256: b35b448ef37d4a1e9af245835fc9852f1c88eaf99d46b730f7a41e7509e6e6e0
    Size: 9.76 kB
  21. postgresql-upgrade-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 56f8d460f21e9b46dac6b36dd6474231
    SHA-256: e160fd67414454aa3626a08e7c9d127993fecad8ce45353d6e1276b4ce58e74d
    Size: 4.88 MB
  22. postgresql-upgrade-devel-16.4-1.module+el8+1803+7f6abfc3.x86_64.rpm
    MD5: 2cbf4f24cfd8ff25b5342f459752fd91
    SHA-256: f58d4247f74afa84b3a12c5b17c03f175e53dec10f047e3161c774c6abb211d8
    Size: 1.32 MB