postgresql:16 security update

エラータID: AXSA:2024-9501:01

リリース日: 
2024/12/25 Wednesday - 19:07
題名: 
postgresql:16 security update
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- PostgreSQL には、クエリを再利用する際における誤った
行のセキュリティポリシーを適用してしまう問題があるため、
リモートの攻撃者により、行単位のセキュリティポリシーを
持つテーブルに対する特定のクエリや SQL 関数の実行を
介して、不正なデータの読み取りや更新を可能とする脆弱性
が存在します。(CVE-2024-10976)

- PostgreSQL には、リモートの攻撃者により、SET ROLE、
SET SESSION AUTHORIZATION、または同等の機能の利用を
介して、意図しない行の表示および更新を可能とする脆弱性
が存在します。(CVE-2024-10978)

- PostgreSQL の PL/Perl には、環境変数の処理の欠陥に
起因して PATH などの環境変数の変更を許容してしまう問題
があるため、権限のないリモートの攻撃者により、任意の
コードの実行を可能とする脆弱性が存在します。
(CVE-2024-10979)

Modularity name: postgresql
Stream name: 16

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-10976
Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10978
Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10979
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. pgaudit-16.0-1.module+el9+1061+2f0de962.src.rpm
    MD5: ebdffabd3bff64ad803f7c81cc2ab899
    SHA-256: 03c5848752f2d6a8fc381c1859f6cdb217f93c311e1779491d57789cb86ce59c
    Size: 52.79 kB
  2. pg_repack-1.5.1-1.module+el9+1061+2f0de962.src.rpm
    MD5: e1282593c288afda788f98096b9cd887
    SHA-256: 8b054b3761b1a99d6c10ff4862f92ad96e01d1b512d64884f7e8639c80cefb01
    Size: 105.44 kB
  3. pgvector-0.6.2-1.module+el9+1061+2f0de962.src.rpm
    MD5: d7aa88d7bb3b84c976f86c4ffeb21ffa
    SHA-256: dabf414b7e03666db8ea8388dc80296088edff296b35e02794de803313a7eb77
    Size: 87.44 kB
  4. postgres-decoderbufs-2.4.0-1.Final.module+el9+1061+2f0de962.src.rpm
    MD5: 7120a724a41bd327d3b5baab4a345aca
    SHA-256: a09b81721ea56a501e2e88325911c9d1d62d3422187ae64565cc91e955ad48c0
    Size: 21.46 kB
  5. postgresql-16.6-1.module+el9+1061+2f0de962.src.rpm
    MD5: ac9df38ca2c36fb22ee9e65eb69375e1
    SHA-256: a53ab50421af4aa0441d95d7e375303a9b78108ccf00b2dfc7c45f54d856dca8
    Size: 45.75 MB

Asianux Server 9 for x86_64
  1. pgaudit-16.0-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 8d4a3a6b5b56d40e568efd2820c3a96b
    SHA-256: 69f53409b7221fa4f4b7120d18b5381cec941e4f47f70a0b053f3b5271bc20c6
    Size: 27.75 kB
  2. pgaudit-debugsource-16.0-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 154589cdd79729f8503c54a968b4c5aa
    SHA-256: 3ab20dd5372002a8486aed4f380b97ae628d28166ceaea1e634f7cd73aa7c1fe
    Size: 22.84 kB
  3. pg_repack-1.5.1-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: c87b976df0b064c3cbe2589897ab99e7
    SHA-256: 44a6d4d3c41ab8bbd9c4d403a1697738b11156181986794e545f5e1756bbd9c6
    Size: 92.13 kB
  4. pg_repack-debugsource-1.5.1-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 2700360914139c49b06c9025a5644d55
    SHA-256: 322894a6f25bc7d701f0c070b6c5188a4e2c4e764d1676f8b9004daca646589d
    Size: 49.04 kB
  5. pgvector-0.6.2-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 17c19d1896bd8f67466837c15953a13f
    SHA-256: 0a6650578409a7302be7a5773d8cfb1dfe13889db160b45cdd102a14be4ff5a3
    Size: 82.15 kB
  6. pgvector-debugsource-0.6.2-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: dbf92afa0c2f1ad0e5472c8e45922c37
    SHA-256: 33bf3c745a745309ea6d67c0b14a2f6d243ad2ea911ea0905886176a24715846
    Size: 54.75 kB
  7. postgres-decoderbufs-2.4.0-1.Final.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 2563009f655f6b30d962265f6700754f
    SHA-256: 89db9c448257086537efd7ba43b3c5f954682160eb29be7d58920f3cf6afdf64
    Size: 21.96 kB
  8. postgres-decoderbufs-debugsource-2.4.0-1.Final.module+el9+1061+2f0de962.x86_64.rpm
    MD5: b94cc8b6137d4da50a54cd45843cb80d
    SHA-256: 6f3c91504b2cfe4beed7bb97bd769277c78aa06d1e0c0c81afa07238b07f27ad
    Size: 16.56 kB
  9. postgresql-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: d0698b160e1193547c31e7abe6a94323
    SHA-256: 5888e88f6bc2fcf994a2d3bdeea2ca094fbbf7bbc37d71c63af9ebc71b787791
    Size: 1.91 MB
  10. postgresql-contrib-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 898e0e65b121a7eee6ea6a94cb2e844f
    SHA-256: 8d86c33b9493b99df7ad94a147327851edfb0fa6415e33f214cff142ee1eee5c
    Size: 1.01 MB
  11. postgresql-debugsource-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: e184bd557bbf31a0fc6f5d678334d927
    SHA-256: 6031f29043f19d5d5241f9f3f9a06460818a2ddb4e254bfc49266baad5c45df4
    Size: 16.94 MB
  12. postgresql-docs-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 04d6c74642eb3f47c206b4adffcf2228
    SHA-256: 126c45150956759e77877fda0face6190ad4fd7c11976e6edb41b8a4d686d961
    Size: 2.34 MB
  13. postgresql-plperl-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 9abcb832d82074be3824b9d07f59aa75
    SHA-256: f6d9d60da5af478f5d95a8dadfb827e681e9eda10a0a23c865cdf223d084cc5d
    Size: 80.64 kB
  14. postgresql-plpython3-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: ab2e5d21fcd53bd662be3b1e3adf8306
    SHA-256: b212877179550a2af9ce1559c7d07c570f479a2894d82425a0dcc76ec00eb561
    Size: 102.31 kB
  15. postgresql-pltcl-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 4473d5d89c70b37a038ddeb67541e84b
    SHA-256: b26189a7ab5f089610cd96d20958f9d0921b13560d11ca5055e54295bf7800cd
    Size: 53.82 kB
  16. postgresql-private-devel-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: c036214549930b34c2534eaae8eb9f2a
    SHA-256: 99cced065669f4bfba5cce07f3d6ee31ed93fdaf0a340ad726389c7696b80a49
    Size: 65.89 kB
  17. postgresql-private-libs-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 3a0d01a9bc2a31814c110959d48ab5af
    SHA-256: 51814066311a3fe2b7daa1efd225fd479dc4dc501bb8fa6fee15f2cc633bea45
    Size: 142.62 kB
  18. postgresql-server-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 40493fe4765487adc7cd62664e934a04
    SHA-256: 0c98fd8fa44d96b9885274c7d9ba0f88188288cf11eda623188e33f9cca4d2d1
    Size: 6.97 MB
  19. postgresql-server-devel-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 830c9f38d8003be75eb33f824fe6a5e7
    SHA-256: 40292ff6e9c7018306aca7bf8b7ead3f9271a79c76b233e38a1b5e1455a0afc7
    Size: 1.48 MB
  20. postgresql-static-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: f61ebb004ed490fa0cafa4b04f422b0f
    SHA-256: 169d9561c47e263336a4d9c0d05d2d8260d64d389436a19bf7b21c4ee7ca4be4
    Size: 131.37 kB
  21. postgresql-test-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 41a5571e2ff9c76616d6b905ad959bb1
    SHA-256: a82f3994f74b5dbad28438abb62dbeb532daab141c8968e366ee6c05e33c0fa9
    Size: 1.77 MB
  22. postgresql-test-rpm-macros-16.6-1.module+el9+1061+2f0de962.noarch.rpm
    MD5: 4e1c76b0e37b335642d79c708d7b05df
    SHA-256: e203551a1bb9208ebf25f6296616107df1f03f6465e1b5939302457963f677ab
    Size: 9.85 kB
  23. postgresql-upgrade-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 29000dfeda7ac5426ddc1f21951ae138
    SHA-256: 1f00b274f7b9b0e318a633f68ccd180e00d2bdc6f3f78f34b3113fca94765925
    Size: 5.14 MB
  24. postgresql-upgrade-devel-16.6-1.module+el9+1061+2f0de962.x86_64.rpm
    MD5: 33b309f3bfe15a2db8bd2373dc3a03cb
    SHA-256: 28e09575553e2a378fe3f8a611b806bc050dc5a33f323a890ec34a742b5846b6
    Size: 1.38 MB