libpq-13.20-1.el8_10
エラータID: AXSA:2025-9707:02
リリース日:
2025/02/26 Wednesday - 10:47
題名:
libpq-13.20-1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQL の libpq の PQescapeLiteral()、
PQescapeIdentifier()、PQescapeString()、および
PQescapeStringConn() 関数には、client_encoding 値が BIG5、
かつ server_encoding 値が EUC_TW または MULE_INTERNAL の
いずれかの場合、引用構文を誤って無効化してしまう問題がある
ため、リモートの攻撃者により、細工されたアプリケーションの
実行を介して、SQL インジェクションを可能とする脆弱性が存在
します。(CVE-2025-1094)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
追加情報:
N/A
ダウンロード:
SRPMS
- libpq-13.20-1.el8_10.src.rpm
MD5: ddd2f526de76e0ebe38d4332fac0500e
SHA-256: 8b9202130461e2b588156b8f6f8f5912efe766ee7595c75b7e6db6a3a3e54b96
Size: 20.65 MB
Asianux Server 8 for x86_64
- libpq-13.20-1.el8_10.i686.rpm
MD5: d31996c3e551385a34cae00c862b8469
SHA-256: 1833f7bc062e17d29dd0377753d93211dcce7c0434ffc37da5f4515e97913fbd
Size: 208.45 kB - libpq-13.20-1.el8_10.x86_64.rpm
MD5: 19d33c1e62fd481b9db5a4ebf78585ef
SHA-256: fd4267d40ad4ca151b1c1d34c3267c1e24f4646b1a636528a9e23be98bc06ac8
Size: 198.12 kB - libpq-devel-13.20-1.el8_10.i686.rpm
MD5: 836230c60e4a4ba76297d36b7f22bd7c
SHA-256: 347002f02eafb30beade155e20b87a60073b8f05f6f0b19880c1e7a1863bec9d
Size: 99.09 kB - libpq-devel-13.20-1.el8_10.x86_64.rpm
MD5: dff78aed357e359f2403338569a5c2fd
SHA-256: e352b20065a280b92f8532e757a2e13bb52a537556ca8483abcc4990ae6d8214
Size: 97.21 kB
English