postgresql:15 security update
エラータID: AXSA:2024-8741:01
リリース日:
2024/08/30 Friday - 21:52
題名:
postgresql:15 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQL の pg_stats_ext、pg_stats_ext_exprs 組み込み
ビューには、設定されている権限の誤りに起因してデータ
ベースの統計値を不正に読み取れてしまう問題があるため、
リモートの攻撃者により、CREATE STATISTICS SQL 句の
実行を介して、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2024-4317)
- PostgredSQL の pg_dump コマンドには、Time-of-check
Time-of-use (TOCTOU) レースコンディンションに起因して
ビューまたは外部テーブルを持つ別のリレーションタイプに
置換できてしまう問題があるため、リモートの攻撃者により、
任意の SQL 関数の実行を可能とする脆弱性が存在します。
(CVE-2024-7348)
Modularity name: postgresql
Stream name: 15
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-4317
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
CVE-2024-7348
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
追加情報:
N/A
ダウンロード:
SRPMS
- pgaudit-1.7.0-1.module+el9+1047+e57e4578.src.rpm
MD5: 47f264101531968882fa2162fd865efa
SHA-256: db687bf867b69dfc3c235bc3e0df79c416349b8ce0583babe7dc5e5c851cb34f
Size: 51.24 kB - pg_repack-1.4.8-1.module+el9+1047+e57e4578.src.rpm
MD5: bde5f9c36fea52ba74f3207803504512
SHA-256: 57d52a14f9cb5fd445a0ff1d2fc517ad6949879d0a0564d233004cde496685b6
Size: 102.64 kB - postgres-decoderbufs-1.9.7-1.Final.module+el9+1047+e57e4578.src.rpm
MD5: eab223bc254369572665c6384f5b8b51
SHA-256: 7671cd58aa683e9abfaeded5a16fd8bf6b6112a5a73056307b127255391c735c
Size: 21.46 kB - postgresql-15.8-1.module+el9+1047+e57e4578.src.rpm
MD5: 943037f03d45ad2d94d707af9e39e52f
SHA-256: c58b0f244a62372246132952f28dbec73bf2eafd6289a7fb1805e8b50ea9c081
Size: 50.78 MB
Asianux Server 9 for x86_64
- pgaudit-1.7.0-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 36dae29aa68054bb5a990c0f4a123ae8
SHA-256: 815fd227bb75246977b71115dd6c45e9005ff7a6be01c48a330617e56b26443b
Size: 27.60 kB - pgaudit-debugsource-1.7.0-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 99844ef68678e965b7e8c83e0a18fc38
SHA-256: 964588bd2982efba6d7f060844476d1030d6c18b41b966b66c91bc8cb270abce
Size: 22.30 kB - pg_repack-1.4.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 8e931c44ee4452cc15157fe99191d566
SHA-256: 9bc871ee52e62b73486aff3e6300012de8bd624fd5b09b92935254463c48f1d2
Size: 90.92 kB - pg_repack-debugsource-1.4.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 8bcd624b42b49568be77450d255022a8
SHA-256: bef56dbd1d082393b9371c7a3aa5334a4e5e0b24b7e13a32e054e591afa231a4
Size: 48.53 kB - postgres-decoderbufs-1.9.7-1.Final.module+el9+1047+e57e4578.x86_64.rpm
MD5: 2f7cb9cba8f12ec28811a339e27cf351
SHA-256: 9e64060a6b649dcf7d9e71f410d1ff015189fb1d2f4d537a92012c1b7828cdb2
Size: 22.88 kB - postgres-decoderbufs-debugsource-1.9.7-1.Final.module+el9+1047+e57e4578.x86_64.rpm
MD5: a5e5d9949013469c75f4dfd0c2a82c9b
SHA-256: 5308cf294b88e4eabe101d4493c51598c4f4e7ce1bda9ba22f7acdec96d67f7a
Size: 16.55 kB - postgresql-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: dd6d960a5095e42bf62c0c36e141dbea
SHA-256: 56e741f38feaa8353754c1d9f5b5ab93a352974a834cfb90450d11621b9d693c
Size: 1.64 MB - postgresql-contrib-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 3e3614f96649fb07db504e41c7f74995
SHA-256: 1dbd2f50b9ba3670610371ff29c6ffc3c7cfc0ae17a285ec36c12bb41c3bb784
Size: 916.31 kB - postgresql-debugsource-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 8f199ba8dec046dd1ce12027c2bf67a8
SHA-256: cd665f5cf63d000bcabd9fef2db04a3c8184a1f313c54d278ed6d536c4dd2edd
Size: 15.28 MB - postgresql-docs-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 751f5b96f26c2d391faa6f268d25e80a
SHA-256: 2539016ae7b8cebedb79b7a97c3196558220691f15f27326ee8ad2d4c12d75ee
Size: 9.71 MB - postgresql-plperl-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 4a63ff6ae2a5dbd7d0b70d8b84f6aabb
SHA-256: 3d6bbf0fe0d8a6978fa7a8137b748618843f846e504384b5a4c65796d652fa93
Size: 70.74 kB - postgresql-plpython3-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 27b452cde5acb3349937437e4937ef1e
SHA-256: 5e6a75386aab2d51d43698fb52ecb589b972d855c116cdb99f99a956b72019bd
Size: 94.55 kB - postgresql-pltcl-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 1190c81c4613c1efb3f388af6db23bc5
SHA-256: 58505caa8d65f1704cfae186d067a5b9e7e48d7618f742cbc0e0cc261ef1c490
Size: 45.75 kB - postgresql-private-devel-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: bb1222e83c1b6691866ce0b1853f4bc0
SHA-256: 3afccba461d7f169f71d58e6556d1fd26d9678b40271f880ed2bb8f2bd92201f
Size: 61.64 kB - postgresql-private-libs-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 722bd18c0f7432623edf1f956092a2fc
SHA-256: a688c3227f54e0420b50e47f17cd04cfb6761ed178f626d1f75b938d422f03d3
Size: 143.39 kB - postgresql-server-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: e1c37f025a17aca6bb203668ea338f7f
SHA-256: 484e9c141b8470c24ad75b61b54e3709f80e1a4a873ff8add0e5cf36f771635f
Size: 6.23 MB - postgresql-server-devel-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 25e45b104e4140c9b94ed7ee3780b224
SHA-256: b5cda97df51f866dc8b0d125caf6b2fdf450a41040c9559894be44b43c8fe42d
Size: 1.25 MB - postgresql-static-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 951b95780509a85e2b98ab1d3dc59191
SHA-256: 86dc56b59d6043caa519520f187d4fc7447656dfa2fdbcaa1c63338868b8a860
Size: 128.99 kB - postgresql-test-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 19870f3d72fcf0d3d303807248bab600
SHA-256: cccaaa109a95162ac40a9e830e9b493082d311d5d3f176e3b8f5e9b5f23e6631
Size: 1.59 MB - postgresql-test-rpm-macros-15.8-1.module+el9+1047+e57e4578.noarch.rpm
MD5: f1556eec5644cc7b3e81de0d8b6a244d
SHA-256: b55deec391fa75bf4afcdfd2d762168e57081953cb61885644f7a11dd24c9e54
Size: 9.49 kB - postgresql-upgrade-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: bba0f9971fafe247f7b5c59ea432a9ca
SHA-256: 50d2515096fd7ad06ec1927b5686577795c1e8c5269b46316640b521c87d00e5
Size: 4.75 MB - postgresql-upgrade-devel-15.8-1.module+el9+1047+e57e4578.x86_64.rpm
MD5: 2d161b3a526929dbc63abd34489ff93e
SHA-256: 0bb25b9bd7974f35789b01ac1c680eb605887bb3434ca086816845181b46a879
Size: 1.05 MB