postgresql:16 security update
エラータID: AXSA:2025-10816:01
PostgreSQL is an advanced object-relational database management system (DBMS).
Security Fix(es):
* postgresql: PostgreSQL executes arbitrary code in restore operation (CVE-2025-8715)
* postgresql: PostgreSQL code execution in restore operation (CVE-2025-8714)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-8714
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
CVE-2025-8715
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
Modularity name: "postgresql"
Stream name: "16"
Update packages.
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
N/A
SRPMS
- pgaudit-16.0-1.module+el8+1898+86416578.src.rpm
MD5: bb188320807799192a68dc34de870ecb
SHA-256: 388baa3f319a28be767506612b82df71b28d104a71c6da005ffa6ebb9d6669d5
Size: 52.51 kB - pg_repack-1.5.1-1.module+el8+1898+86416578.src.rpm
MD5: 911fc1ab0e8881486829bd8684ac3055
SHA-256: 68cf1c67de608fc1773d7c98cffe2cbbd1c7c092cff663518fadb68bd78c8539
Size: 104.88 kB - postgres-decoderbufs-2.4.0-1.Final.module+el8+1898+86416578.src.rpm
MD5: 4ff4b4958004758311afc17c40ff7828
SHA-256: bfb9b26bb87e428ddef5b487c871616cb6e44a35f6ff300cd85497b035cbcc85
Size: 21.11 kB - postgresql-16.10-1.module+el8+1898+86416578.src.rpm
MD5: 72b2f9c8dbc59b6ee966684d5a639e4b
SHA-256: 5170f2b4919edac44e256076a23a2c37c23fe8728ffca143a820709204f8dacb
Size: 45.94 MB
Asianux Server 8 for x86_64
- pgaudit-16.0-1.module+el8+1898+86416578.x86_64.rpm
MD5: 2a727d3dfe203c12b8e97ca6edc73b4e
SHA-256: 1d1376bc08a2af0dd13753a3e9714138886d14b8c503cdc0844dd888cbc54fe8
Size: 27.44 kB - pgaudit-debugsource-16.0-1.module+el8+1898+86416578.x86_64.rpm
MD5: 63f3c030b11399c7a639f24f5094e901
SHA-256: 895b7c5cbbbd5865fedf5b8518db6760fc333afaa4ca014835e57698aad69e06
Size: 23.57 kB - pg_repack-1.5.1-1.module+el8+1898+86416578.x86_64.rpm
MD5: f67a0982dcbd0e1c8afe4eaee40849d5
SHA-256: e91b6897b9617e71d276ceb50df70ee5d9f8d12f7faf3166ec5a0108fb4b93b0
Size: 95.37 kB - pg_repack-debugsource-1.5.1-1.module+el8+1898+86416578.x86_64.rpm
MD5: 537a74d45000c1d0e5652b2b182ca372
SHA-256: 7faeae404871d181b9b3687159767c5eca6ef4891e1ceaee7818212621da0434
Size: 50.82 kB - postgres-decoderbufs-2.4.0-1.Final.module+el8+1898+86416578.x86_64.rpm
MD5: b29803fe51339c192aac874e978e0bab
SHA-256: 85f3f578ca4214b28c802ccb10f0ad1402548d949a821a266c271fc9d471b71f
Size: 22.12 kB - postgres-decoderbufs-debugsource-2.4.0-1.Final.module+el8+1898+86416578.x86_64.rpm
MD5: dd0e967e491c0e32b21641c30a855b53
SHA-256: b45067a782f97c7a99c7f2044913becdd8fdf33a9b093b80bd6af264c5aa6c6f
Size: 16.73 kB - postgresql-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: 2238dddf5f91bbfbf356cd0017706a4b
SHA-256: 225a0a2fff3b10a4e530239e2241d92fbb392bcb86e7415b7f91efe7280fe521
Size: 1.95 MB - postgresql-contrib-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: c1f29ab231d955515b12f3a0a7b0867e
SHA-256: d6454491683d1d7ff00d7741493b440910c5c0da848a6a7af637473024134c67
Size: 0.98 MB - postgresql-debugsource-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: 09d0f07a2fe9b731dd45bfa0aff46be8
SHA-256: 5cebbe0abed67d250ca25fe926cef85bee686da46270109e0552f21e7d76d958
Size: 19.89 MB - postgresql-docs-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: 3a87a5ee16b48c4dc4f1393f594500cc
SHA-256: aa57c22dd5bb30dcbfa82d2350d207a50faffc779e1577e55f585a8cba9eb72a
Size: 2.51 MB - postgresql-plperl-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: 27caf97ae5550ea22ed0c98c6feb7c33
SHA-256: 6ad6cc17bf79ca1a5df1983c119773b96c7c68489516cc4dad51e6a67bd319c1
Size: 75.14 kB - postgresql-plpython3-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: 6ef3a804cbbc063565bf7fdbf511607b
SHA-256: 3976e486bf4fe3f46e917540b2ebfaa6acd22eeabc4170faffcfc2368602bde2
Size: 93.76 kB - postgresql-pltcl-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: c9d747ddbf6348bdf04728c9c033667c
SHA-256: 9ce0bb6bd7b6ae595a66b1730752c17d2416e0d67be2784869dfbb848acb30c6
Size: 46.41 kB - postgresql-private-devel-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: b779529c9d25ffeb3cf1870a3d64732f
SHA-256: e1c742dc997c0511171f1cbc0240fce7128b0729c65f8d1bf9f39558edc67659
Size: 63.37 kB - postgresql-private-libs-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: bf1bc4f9cd0101f4cff72ec329881e7e
SHA-256: 9f1aa790012d26adc726442211257d8b87bd60c7483c5509aed65976e32998f2
Size: 135.27 kB - postgresql-server-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: 447787d483af626b6ce92dcd9d52bd0a
SHA-256: b72fa733778a392bc722c84e6ce2e740812e8de5a5fbc94f138ebb68eab41cdd
Size: 6.89 MB - postgresql-server-devel-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: b95a8de236a729ea026332ed61656975
SHA-256: 247bb3befed1eebdf5e03251e167cb600309bfd03cce91001b11d767f61b1d7e
Size: 1.40 MB - postgresql-static-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: bd20a1b9b498fea8ff4b39b3e967f54c
SHA-256: 395a7b2134236d7795f9dc224a33b677f5d52b1a858bf5242b202c705582d223
Size: 156.16 kB - postgresql-test-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: 8ae463ff4525318cd84692891d57c716
SHA-256: b1cc94780e15c02fa455457da46c2e479be717fe72cd92f07303e8ce987e9b5e
Size: 2.24 MB - postgresql-test-rpm-macros-16.10-1.module+el8+1898+86416578.noarch.rpm
MD5: 2eb4825493f5064c60d080c1794cce5e
SHA-256: 42307e31e880965bab6aab84d8b21ee216f4a44194e827eee30e218a7141386b
Size: 10.03 kB - postgresql-upgrade-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: fb5293778dc4556d7dbaa9ba1d9326bc
SHA-256: 52de7039b169b982ecd5d0a5d950c313a999f4c588e92720e078667124fad230
Size: 4.90 MB - postgresql-upgrade-devel-16.10-1.module+el8+1898+86416578.x86_64.rpm
MD5: d4cd040c2d427b59e12b7c3fe3764325
SHA-256: e46e14fa882c9dc37db72b1cff040a45d3b4941635ac127053f41e7d54293be1
Size: 1.33 MB