|
|
Subscribe / Log in / New account

Mageia alert MGASA-2020-0095 (postgresql)



From:
              Mageia Updates <buildsystem-daemon@mageia.org> 


To:
              updates-announce@ml.mageia.org 


Subject:
              [updates-announce] MGASA-2020-0095: Updated postgresql packages fix security vulnerability 


Date:
              Sat, 22 Feb 2020 00:07:10 +0100


Message-ID:
              <20200221230710.28EEB9F641@duvel.mageia.org>


MGASA-2020-0095 - Updated postgresql packages fix security vulnerability

Publication date: 21 Feb 2020
URL: https://advisories.mageia.org/MGASA-2020-0095.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-1720

Description:
Updated postgresql9.6 and postgresql11 packages fix security vulnerability:

The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization
checks, which can allow an unprivileged user to drop any function, procedure,
materialized view, index, or trigger under certain conditions. This attack is
possible if an administrator has installed an extension and an unprivileged
user can CREATE, or an extension owner either executes DROP EXTENSION
predictably or can be convinced to execute DROP EXTENSION (CVE-2020-1720).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26196
- https://www.postgresql.org/about/news/2011/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1720

SRPMS:
- 7/core/postgresql9.6-9.6.17-1.mga7
- 7/core/postgresql11-11.7-1.mga7
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds