Ubuntu alert USN-7132-1 (postgresql-12, postgresql-14, postgresql-16)
| From: | Marc Deslauriers <marc.deslauriers@canonical.com> | |
| To: | "ubuntu-security-announce@lists.ubuntu.com" <ubuntu-security-announce@lists.ubuntu.com> | |
| Subject: | [USN-7132-1] PostgreSQL vulnerabilities | |
| Date: | Mon, 02 Dec 2024 09:39:07 -0500 | |
| Message-ID: | <639ba5c3-3b64-4676-a323-9c4856e89945@canonical.com> |
========================================================================== Ubuntu Security Notice USN-7132-1 December 02, 2024 postgresql-12, postgresql-14, postgresql-16 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in PostgreSQL. Software Description: - postgresql-16: Object-relational SQL database - postgresql-14: Object-relational SQL database - postgresql-12: Object-relational SQL database Details: It was discovered that PostgreSQL incorrectly tracked tables with row security. A remote attacker could possibly use this issue to perform forbidden reads and modifications. (CVE-2024-10976) Jacob Champion discovered that PostgreSQL clients used untrusted server error messages. An attacker that is able to intercept network communications could possibly use this issue to inject error messages that could be interpreted as valid query results. (CVE-2024-10977) Tom Lane discovered that PostgreSQL incorrectly handled certain privilege assignments. A remote attacker could possibly use this issue to view or change different rows from those intended. (CVE-2024-10978) Coby Abrams discovered that PostgreSQL incorrectly handled environment variables. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2024-10979) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 postgresql-16 16.6-0ubuntu0.24.10.1 postgresql-client-16 16.6-0ubuntu0.24.10.1 Ubuntu 24.04 LTS postgresql-16 16.6-0ubuntu0.24.04.1 postgresql-client-16 16.6-0ubuntu0.24.04.1 Ubuntu 22.04 LTS postgresql-14 14.15-0ubuntu0.22.04.1 postgresql-client-14 14.15-0ubuntu0.22.04.1 Ubuntu 20.04 LTS postgresql-12 12.22-0ubuntu0.20.04.1 postgresql-client-12 12.22-0ubuntu0.20.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7132-1 CVE-2024-10976, CVE-2024-10977, CVE-2024-10978, CVE-2024-10979 Package Information: https://launchpad.net/ubuntu/+source/postgresql-16/16.6-0... https://launchpad.net/ubuntu/+source/postgresql-16/16.6-0... https://launchpad.net/ubuntu/+source/postgresql-14/14.15-... https://launchpad.net/ubuntu/+source/postgresql-12/12.22-...
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmdNxosACgkQZWnYVadE vpMuLQ//SLwPd4mBA3pflL/hTx0qwTurzVHa0Z5q1gKqLM1CS2K9EVV+EEDPjRV0 Sx/fegntW80z78jSPztFVXtRURUv3BM71tcXmkpSlEDUolIXN7EjvvQsb2W+XFng a4uNbTlp3k83PC3Yt8T+v+iX+yTBIFVeBhiKu6ZaIJq6QoXOaXD3tCVjCMjuJSN/ l6i98WUNyk8b2SwDmJ5dSWVDtIIGfVXqUB8q4u42ctMffovtGDDQj/nnQxx3Jh9S ycazeuj5yCyNeVzacRS1+7aWHlW/CZDVOFr72E8TDFbF2T761jn6peeXLlM+KIKv qzYoVOOoj6QyX2vunX8HeyTZdvB7427M6oCxv2voLJJ30rOa61h4Hv751BJU/nMV AC4tEbETFXFYRFqh0RF7lnGX719IllA3swyehoPwdTJ+1sTTijnUPAXXwEuvdmui FuEo+cPcNmvdQCSP8Sf9Sa4SWSYfZcPgbHODZ5EMO5R7ceO3x6MpPm6Ee7a0I67q F5vpg1vRKfIHRjKl/0//NsJRchduqvhog9KHYaqH5xr5nFLa9/VtrmjCDfzLSgj3 1UZ1h6IVxzalE1mZHzF4CfrV8d5R3XSqXM6ux798lOUOSj75cZms5tAafUMRO8ly RFxRGRr4OvktJWbCKhF7vP7YNV+hpEAsal8csFcrPbfi6cCvWd0= =TkR2 -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)