postgresql:16 security update

エラータID: AXSA:2024-9053:01

リリース日: 
2024/12/09 Monday - 18:51
題名: 
postgresql:16 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- PostgreSQL には、クエリを再利用する際における誤った
行のセキュリティポリシーを適用してしまう問題があるため、
リモートの攻撃者により、行単位のセキュリティポリシーを
持つテーブルに対する特定のクエリや SQL 関数の実行を
介して、不正なデータの読み取りや更新を可能とする脆弱性
が存在します。(CVE-2024-10976)

- PostgreSQL には、リモートの攻撃者により、SET ROLE、
SET SESSION AUTHORIZATION、または同等の機能の利用を
介して、意図しない行の表示および更新を可能とする脆弱性
が存在します。(CVE-2024-10978)

- PostgreSQL の PL/Perl には、環境変数の処理の欠陥に
起因して PATH などの環境変数の変更を許容してしまう問題
があるため、権限のないリモートの攻撃者により、任意の
コードの実行を可能とする脆弱性が存在します。
(CVE-2024-10979)

Modularity name: postgresql
Stream name: 16

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-10976
Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10978
Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10979
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. pgaudit-16.0-1.module+el8+1826+2d57e288.src.rpm
    MD5: 47af9d75b6d14a9907a90e3320637885
    SHA-256: f4b67966ae5eb96488bc5f5f6a5a4b4272e4c4e53eb04f924ed6fa20f859a8b1
    Size: 52.51 kB
  2. pg_repack-1.5.1-1.module+el8+1826+2d57e288.src.rpm
    MD5: 9aca3a699006afa4339015ccdaa4408e
    SHA-256: 2f4bd386d3ac37d54a23d15dfe512343122bded983b7cf3606883fa584e9d3e4
    Size: 104.88 kB
  3. postgres-decoderbufs-2.4.0-1.Final.module+el8+1826+2d57e288.src.rpm
    MD5: 51089a5b8f80dea40e3444a2dfa8036d
    SHA-256: 6eb6af8c913d68755050bb6786a87375f74e513c96d75faf3ec6772c20236e2c
    Size: 21.11 kB
  4. postgresql-16.6-1.module+el8+1826+2d57e288.src.rpm
    MD5: fcef732e62b8e370e79b0901ea6b20ca
    SHA-256: 04b3d9a6d9434920cdfd125e9eeaa3f0018a7a2d83d4a0d7f76c2ceaa2323a05
    Size: 45.74 MB

Asianux Server 8 for x86_64
  1. pgaudit-16.0-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 211a97c9861c5cb1b3a9b54e00435ab7
    SHA-256: 953c50b2032ab569140a313d1b36d56de23e8467696fe9c139a024617f5a7230
    Size: 27.44 kB
  2. pgaudit-debugsource-16.0-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 8df259265b5792dfdac70e68afbc4b25
    SHA-256: a0c739d4f2481041135fe10c4136c80337508e1a4962ef02d117042de3af2aba
    Size: 23.57 kB
  3. pg_repack-1.5.1-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: a93e24f068fb6b5668a52c04a74aee2f
    SHA-256: 6f0105de14203eafb2c43bd69ff40ba6a3c6030b44198cb4ad3ab0765e618c1e
    Size: 95.17 kB
  4. pg_repack-debugsource-1.5.1-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: d1754ad324db33aff4dfb5f21516fbd7
    SHA-256: b48c7bfe70691dab9c896b67a3ad421994d74bcc7a85bbd3d3dda16c5f5c78c7
    Size: 50.82 kB
  5. postgres-decoderbufs-2.4.0-1.Final.module+el8+1826+2d57e288.x86_64.rpm
    MD5: f3470e5832dff48fde7ad919891aa832
    SHA-256: 065eb847a62343aa99b271073b38f72b870c51b2db9dac3429cf667ab0d6f332
    Size: 22.13 kB
  6. postgres-decoderbufs-debugsource-2.4.0-1.Final.module+el8+1826+2d57e288.x86_64.rpm
    MD5: de5328499f3e1b2ca7775d2e2208fed2
    SHA-256: 5d2ecf2d0b346d9c6d4186d70bf10da81f7100a2b825900556910a01fc234cc7
    Size: 16.73 kB
  7. postgresql-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 34aa2b75f9cbe7d86fb167ceff83d8a9
    SHA-256: 65ea41b970267d369c25c5d6e113eb3cd9c9b144ca3826ceaab12bb78fe92a71
    Size: 1.91 MB
  8. postgresql-contrib-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 470b72fd349694656093392a4b86a449
    SHA-256: 03d3d1444856bd4fe9f63853fc964a82f89a31c3212d98e30c5a4f8900dd94cd
    Size: 0.97 MB
  9. postgresql-debugsource-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: c657666dcefb4c4d12c902d3733a4e3e
    SHA-256: 1085edc93fc80597524c423ea5a2dd8f880ee1d300d7f1570d3534ba787f431e
    Size: 19.84 MB
  10. postgresql-docs-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 0c4e9f819f8dca6ab3cf9939ccb62756
    SHA-256: d2de97e36aa22176c78cd47b498aad09ea9f86055eabd413734e60da0cde0bb1
    Size: 2.49 MB
  11. postgresql-plperl-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: d9662f835754099dfc421e0c615cfced
    SHA-256: 494b500d74f410c4a82527d584a4f8a4c9e3eb03d9eebbd983eda92a5627a0fc
    Size: 75.02 kB
  12. postgresql-plpython3-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 909c6e7e52367ebc90ef82880d730c66
    SHA-256: 0c2aefa6ab2dd3b510b827978e749cd160e4299e47f2bc952d433521ca6f0ea9
    Size: 93.68 kB
  13. postgresql-pltcl-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 21d6df99285f2d6202b25caa94b9fb7a
    SHA-256: 61f0244bd6f4ed180f743d369d0d2a3ad225987c1779374bac0bc4c970d459a8
    Size: 46.36 kB
  14. postgresql-private-devel-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 33b7afd693ccbb11e8ce020b4f210474
    SHA-256: 00aa99eacae72c397fc9cced1cfb16ab28b4a008812cd221d38e7c05a9cc18a1
    Size: 62.92 kB
  15. postgresql-private-libs-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 01355e52b25c5ffb39058bdaa6b80ad7
    SHA-256: 84586a4edc1e650fcd71423b2fb7a07e2df39db94251f219ff8144d8e05e8ebd
    Size: 134.97 kB
  16. postgresql-server-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 5d49c7a0343d8abb88dd1a84f2c36c33
    SHA-256: c17bb0b8dcc1ce6385d21e49c6600f0817e052a10e4b3063b9ad3b942e86c56f
    Size: 6.87 MB
  17. postgresql-server-devel-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 1d3d4f6e5afde86f5a068c76e90502a0
    SHA-256: ff11ae5284a1090af0b95473f918669704e34b9ae49ee926dee7ebc47de665b3
    Size: 1.40 MB
  18. postgresql-static-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 79effcab9aa4688faff6c054a35707f1
    SHA-256: 8d5bc4bc4573922c8e6f17b9f9a41a867e6982eaa4fbaff6fbaeca77a5cba1b8
    Size: 155.33 kB
  19. postgresql-test-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: afa3da7203882e49b4c79f6e6cf4be38
    SHA-256: 5749e6ecc37da3c8723ca9210f054dbb1159f746b35b63228a01fbe2821d2f4d
    Size: 2.23 MB
  20. postgresql-test-rpm-macros-16.6-1.module+el8+1826+2d57e288.noarch.rpm
    MD5: 14b565eb6ca65c7e8c032561e38e21c4
    SHA-256: 7ad50384015eea5f966f013480577f23343e2ce1a290722218aab90033c71103
    Size: 9.88 kB
  21. postgresql-upgrade-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: e2dbe08ab2536de1a6cb95c2fb245cd3
    SHA-256: 346525cc1862a777d7d010f2b31a11a29da976d0be0d9603e481deaba461cf14
    Size: 4.88 MB
  22. postgresql-upgrade-devel-16.6-1.module+el8+1826+2d57e288.x86_64.rpm
    MD5: 3bc39a969e37eb02666fee94ec562970
    SHA-256: c0c2e2e51bc7dcc2efdc84ee69a39800d07ca20fd9152ad9ec236c9e1ec772bc
    Size: 1.32 MB