postgresql:16 security update
エラータID: AXSA:2024-8742:01
リリース日:
2024/08/30 Friday - 22:07
題名:
postgresql:16 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQL の pg_stats_ext、pg_stats_ext_exprs 組み込み
ビューには、設定されている権限の誤りに起因してデータ
ベースの統計値を不正に読み取れてしまう問題があるため、
リモートの攻撃者により、CREATE STATISTICS SQL 句の
実行を介して、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2024-4317)
- PostgredSQL の pg_dump コマンドには、Time-of-check
Time-of-use (TOCTOU) レースコンディンションに起因して
ビューまたは外部テーブルを持つ別のリレーションタイプに
置換できてしまう問題があるため、リモートの攻撃者により、
任意の SQL 関数の実行を可能とする脆弱性が存在します。
(CVE-2024-7348)
Modularity name: postgresql
Stream name: 16
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-4317
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
CVE-2024-7348
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
追加情報:
N/A
ダウンロード:
SRPMS
- pgaudit-16.0-1.module+el9+1048+ae58183b.src.rpm
MD5: e08f0151f2f96a1b55f607613fafa571
SHA-256: 0e6947bf77b2946096d79237c9cfb1c378ae4f8b9210c0fd9c763c687feb7a7e
Size: 52.79 kB - pg_repack-1.4.8-1.module+el9+1048+ae58183b.src.rpm
MD5: b7ad9bc9c492312f234a1b3d7b1e91d0
SHA-256: c3ad36c10f5666999cf1f432538ddc1fefce696f29b1f6906a0e5ad6ebde12c3
Size: 101.67 kB - postgres-decoderbufs-2.4.0-1.Final.module+el9+1048+ae58183b.src.rpm
MD5: 00d9ef54d8e2d3cffada4aba1f4f215e
SHA-256: 9301e880ef94c4d5b69f30906da9c80a12ff6db6808e8ac3a7440a4c2acb52de
Size: 21.46 kB - postgresql-16.4-1.module+el9+1048+ae58183b.src.rpm
MD5: 6b5b1df384481e6fa15f56087eae86a7
SHA-256: f41b6e9bddb3853ab42b953498e35cd17fe611ff7428db47d056b19099c20865
Size: 45.63 MB
Asianux Server 9 for x86_64
- pgaudit-16.0-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 8c9e28edfe06921596ba3a91853e66a1
SHA-256: bf70b8d38867916a17a4e1d60c74c68aeab034daaf3a357165bb20a53c4772bf
Size: 27.76 kB - pgaudit-debugsource-16.0-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 460adae0a40f311eca5b471a60f17872
SHA-256: 8a066c857b119540ec06fd7f03d793fe40bc59aa451f276a54f34d99dbde52ec
Size: 22.85 kB - pg_repack-1.4.8-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 1185749b2e83fe23df041a97f77e6242
SHA-256: afddffbcde251c12e87b86da64b65938590ee606483c95bda3c712c934008cd0
Size: 90.25 kB - pg_repack-debugsource-1.4.8-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 38a953e8bff9ff9044e3d82aa5eb94ba
SHA-256: ba2733b6cc09a28db490588fc43ad32c7c566509917c90bdee82f1db1fb0aa24
Size: 47.95 kB - postgres-decoderbufs-2.4.0-1.Final.module+el9+1048+ae58183b.x86_64.rpm
MD5: 798df33d3b72c7f57dba46d207a1acb5
SHA-256: 7dc6637732036cccb8b0709f24312780e18f15460617e8405998f26d354196b2
Size: 21.99 kB - postgres-decoderbufs-debugsource-2.4.0-1.Final.module+el9+1048+ae58183b.x86_64.rpm
MD5: 63a281f340d784a71cf734d7f2ba7309
SHA-256: 337751bc12a461ce6fed16512e7fbfedbd7659022a79da0f8dc2a3a49ed9a008
Size: 16.56 kB - postgresql-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 4844e079a03be271cb319b2c0d6ac387
SHA-256: 863933d26737ea34af155a75bea74bd4de013171f33c41ef7cf0fe9293d5babf
Size: 1.84 MB - postgresql-contrib-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 722dfb58850ee91fe617bd4c8ea1605e
SHA-256: e7b4ec2bf7f0a36ef3fb540bdc9adbca143648916805b3f6ef7a537b7991b353
Size: 942.30 kB - postgresql-debugsource-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 0b0ab52eef027112e2dc54b86828a38c
SHA-256: ca3403082d2efd61d996c93882f39fa09a31d981ae0f876b9bd36b4e6257c09a
Size: 16.01 MB - postgresql-docs-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: dec2ea4781f7d8f635360d4278836381
SHA-256: 6c885dae22e8d03c085c67dd30eb82f12f02df1cd9853e9ca12106f1b080931d
Size: 2.07 MB - postgresql-plperl-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: f73feab9df1b3d3ca776fe7709e03dc4
SHA-256: 2a15607e45108fe80047230ed0d8cb852a0a5bdc5617c024bd71ce962757f355
Size: 72.81 kB - postgresql-plpython3-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 8e052631cf5e54d6b13041b4dd2ba89a
SHA-256: e69a1340836f6867b2ad74695810b5ffd546c0b1a1446190ca59b245e640969c
Size: 96.33 kB - postgresql-pltcl-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 679ffcd675e5a627d3556135783aad93
SHA-256: 63f9ee63ced9fc0fd3a6cf8bdf18fc0d2c5a014cfd1ce2e48e4cf14ca53ec30b
Size: 47.20 kB - postgresql-private-devel-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 8ba7a78c551a2e45861abcb07d3279f3
SHA-256: 505cbb94afe4ccd42b7f4718d93930d40986a329d8b0bd695d415f2276b723dc
Size: 60.83 kB - postgresql-private-libs-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 1c5100e832a469b96e46bb747489c482
SHA-256: eb6c5817bddf5a9bde8164026ea9824f728309428842fd6ca8affd54bfe78e48
Size: 142.42 kB - postgresql-server-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: f0b8a2b28a97f83086bc56b8446c6874
SHA-256: 3ca200b3a952276e186d0628d317bd5c68f1d3b7174c87f7ca66474d9c4b030e
Size: 6.86 MB - postgresql-server-devel-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 0c96f9f4e98cd4c56cc62479ad60947e
SHA-256: 332ec6013cb7577066e03db978ed944c0ecbbe2f16251f1bbbec7cc01ea1015e
Size: 1.27 MB - postgresql-static-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 2aa279f64a5aa6373b2a471866204789
SHA-256: 96cc1cf54c0633c4804201a832291a90dc35c847bb954624b1d2a15c733554ce
Size: 131.51 kB - postgresql-test-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 032c7cc00b9e422b5ba0c772de6e939a
SHA-256: a8baee4bf2720a2fcf5ac490b9daf7c1f2c97e10075add69d40321fdb7207bb4
Size: 1.65 MB - postgresql-test-rpm-macros-16.4-1.module+el9+1048+ae58183b.noarch.rpm
MD5: 17133c2ac1bc4a293f165bad64731701
SHA-256: 275c1986c744321010970da38023ac2006c1632dc1a2a70b3c3483cd6e4c339f
Size: 9.75 kB - postgresql-upgrade-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: 6a404c76c0eef15776f7ce51c466f7cc
SHA-256: 9fb52b3dfd04350be12d8f9602661e842df47add184b299cbc97ae824f31478a
Size: 5.10 MB - postgresql-upgrade-devel-16.4-1.module+el9+1048+ae58183b.x86_64.rpm
MD5: ea15a0804a0f7425dfa635d0abf2c6dc
SHA-256: 96c7401f6766cbd2ea26d9a4b8d54340057403b1e5e36f29d3f5a25207f6a94c
Size: 1.18 MB