postgresql:12 security update

エラータID: AXSA:2024-9121:01

リリース日: 
2024/12/11 Wednesday - 19:22
題名: 
postgresql:12 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- PostgreSQL には、クエリを再利用する際における誤った
行のセキュリティポリシーを適用してしまう問題があるため、
リモートの攻撃者により、行単位のセキュリティポリシーを
持つテーブルに対する特定のクエリや SQL 関数の実行を
介して、不正なデータの読み取りや更新を可能とする脆弱性
が存在します。(CVE-2024-10976)

- PostgreSQL には、リモートの攻撃者により、SET ROLE、
SET SESSION AUTHORIZATION、または同等の機能の利用を
介して、意図しない行の表示および更新を可能とする脆弱性
が存在します。(CVE-2024-10978)

- PostgreSQL の PL/Perl には、環境変数の処理の欠陥に
起因して PATH などの環境変数の変更を許容してしまう問題
があるため、権限のないリモートの攻撃者により、任意の
コードの実行を可能とする脆弱性が存在します。
(CVE-2024-10979)

Modularity name: postgresql
Stream name: 12

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-10976
Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10978
Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10979
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. pgaudit-1.4.0-7.module+el8+1829+046d4010.ML.1.src.rpm
    MD5: f7f0009ec8035a650be6baec6c39eafb
    SHA-256: 883b2b8f79b220dca2bf475d86c9ee2fe0108637c52499f467c19509b2b4aa1e
    Size: 42.40 kB
  2. pg_repack-1.4.6-3.module+el8+1829+046d4010.src.rpm
    MD5: 4df2ab4f62436d9d0daac31734c99b63
    SHA-256: 7a2c58c4ced4a17461da68408dffb24d67fd0837aa7beb928df39c2149cd8fda
    Size: 100.99 kB
  3. postgres-decoderbufs-0.10.0-2.module+el8+1829+046d4010.src.rpm
    MD5: 9377fd7c8b842f7426d8ded78652169a
    SHA-256: 658c2f37712d275c743da5be8cf65d0359966cb85a93d9431623a888807c7abb
    Size: 21.13 kB
  4. postgresql-12.22-1.module+el8+1829+046d4010.src.rpm
    MD5: 6f182c1b14b0d9d0a19ebd03a8999a3b
    SHA-256: 7a2387aa0a04f58eabe874c46297be3664a6ea542af9a858e92af9236b33bc9f
    Size: 46.71 MB

Asianux Server 8 for x86_64
  1. pgaudit-1.4.0-7.module+el8+1829+046d4010.ML.1.x86_64.rpm
    MD5: 8297cb9363740d1e79d020b5389fd1b8
    SHA-256: fcad6b6a81d168f3bb166ca578f27da08ab4beaea35b1f545a35d82c252dbf40
    Size: 27.11 kB
  2. pgaudit-debugsource-1.4.0-7.module+el8+1829+046d4010.ML.1.x86_64.rpm
    MD5: f5344065ef4b334d51e94f121606d57e
    SHA-256: 7b6b9340938a9fd82cc104e20de607efb83096b4ede2ee33188be95d9e52df6a
    Size: 23.04 kB
  3. pg_repack-1.4.6-3.module+el8+1829+046d4010.x86_64.rpm
    MD5: ef5b9f5913367a754193c468a0149fe8
    SHA-256: 38f17562a7d6e8cbb3d5389be366d6abcbc7134b9f3c3c3b3171c46c268b08e5
    Size: 89.18 kB
  4. pg_repack-debugsource-1.4.6-3.module+el8+1829+046d4010.x86_64.rpm
    MD5: c91c703921b390ec55125a25e662f2eb
    SHA-256: 49044f5a2947bf588d53e5d30efbd587c457db25336f38d02729418db5b2856a
    Size: 49.69 kB
  5. postgres-decoderbufs-0.10.0-2.module+el8+1829+046d4010.x86_64.rpm
    MD5: 7da329c6bef8ea6b8eb3fc7c03526747
    SHA-256: 2fdb765b9a2d2150474b37d49dd8e2a842aadd8bc3dbac95a6b04d0bb497acb1
    Size: 21.84 kB
  6. postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1829+046d4010.x86_64.rpm
    MD5: 189ff2129ec8a24a96f5d539e7c7c8c6
    SHA-256: e01378b13bd3fbde4a36c71aac1316db0d2da7b9f0fd451233168959cf7729db
    Size: 16.81 kB
  7. postgresql-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: b831cbd4ef3e4a395c03000f48850060
    SHA-256: d030c8c8d900125468610e0464494f0be1ee70417cecd1632212915f6a8c1817
    Size: 1.50 MB
  8. postgresql-contrib-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: 8276ae873ce717b04d5ef8b31fa0c9d7
    SHA-256: 32020d61d40f0db70e219133fee10f6db3391797d4d49edec4cef8186a9e6615
    Size: 874.05 kB
  9. postgresql-debugsource-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: 7cc3bdd90494b1c6de67361aed3ea716
    SHA-256: a342f9c1c7b5b905989a220bbaa60b0d2a8f9dab37e89199eb8a5c266fa117df
    Size: 16.98 MB
  10. postgresql-docs-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: 7e1569bb556b5ae1839e28f96e51849f
    SHA-256: c77fa1f166cfa820fa767a016a063f49f8766dec00ee26ad4248567fba5a79f2
    Size: 9.85 MB
  11. postgresql-plperl-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: f15d46353cd883db40e5580853a6582e
    SHA-256: e34cae6b4a387d58bc53a4265122434994f1e31510a698c125455406ab8f631a
    Size: 109.94 kB
  12. postgresql-plpython3-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: 3c3c0f3087520b75a34202dedf626464
    SHA-256: f6f08989abe0da9dd1d6e76c28d9dcfdcd102211ad48efff2b0f51b17137b3ba
    Size: 129.85 kB
  13. postgresql-pltcl-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: d4a6654c5344281d1998280fd6efcee2
    SHA-256: 00890cc04eeef4bc361b060f1782c4c9d3a58843fa92e7add3d8ed6173b7f6b6
    Size: 85.36 kB
  14. postgresql-server-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: 3e43ec66a07e29970efd64d6b5c21dcb
    SHA-256: 1476fe395b7fa3dfe42c999d0222d0ff6f48cd2db430178d3bd39bd4a15885af
    Size: 5.55 MB
  15. postgresql-server-devel-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: a837117d8a39a48f059c53f4b1d6f23d
    SHA-256: a1954529d66ea481b9d9417d9864a029c73fa156742e7f7fdf4bcebac42ba496
    Size: 1.23 MB
  16. postgresql-static-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: ba647a03ec1dae3e4c0fa237f2d3a78d
    SHA-256: 6f81e49a77e425a3f7f563710f78a0a07188193ae9831b6ec48cee8e4cf870c2
    Size: 167.43 kB
  17. postgresql-test-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: 1afafc9bf66cb9611c4d6691faddb8c6
    SHA-256: cfb4b236ada844707ff524c5da01c2fd514063db432ba8e662db5b388e28db4c
    Size: 1.96 MB
  18. postgresql-test-rpm-macros-12.22-1.module+el8+1829+046d4010.noarch.rpm
    MD5: c94eb2b2fe6ee3ac68cfedd99dabdfb1
    SHA-256: 931f308f5e770221613df86df14b0b464e12eb3cce5fc2eaa5fd8ce7789c27e8
    Size: 53.12 kB
  19. postgresql-upgrade-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: f7206ae888231e7313eda27c9cb50f90
    SHA-256: c325ace7363bd711af47e4eadd1d05643407fb8c364fd71e61e9684a2cbfdc37
    Size: 4.07 MB
  20. postgresql-upgrade-devel-12.22-1.module+el8+1829+046d4010.x86_64.rpm
    MD5: 3a8507fbf40dc54eb7270c007f40fe84
    SHA-256: 96a59074da38f40436c94cd20e5921cc61d249f44aee15550b4fb3a8ecb07cb1
    Size: 1.13 MB