ALT-BU-2025-3981-1
Branch p10 update bulletin.
Package postgresql15 updated to version 15.12-alt0.p10.1 for branch p10 in task 375278.
Closed vulnerabilities
BDU:2025-01601
Уязвимость функций PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() и PQescapeStringConn() библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю выполнить произвольный код
Modified: 2025-02-21
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
- http://www.openwall.com/lists/oss-security/2025/02/16/3
- http://www.openwall.com/lists/oss-security/2025/02/20/1
- https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html
- https://security.netapp.com/advisory/ntap-20250221-0010/
- https://www.postgresql.org/support/security/CVE-2025-1094/
Package postgresql17 updated to version 17.4-alt0.p10.1 for branch p10 in task 375278.
Closed vulnerabilities
BDU:2025-01601
Уязвимость функций PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() и PQescapeStringConn() библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю выполнить произвольный код
Modified: 2025-02-21
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
- http://www.openwall.com/lists/oss-security/2025/02/16/3
- http://www.openwall.com/lists/oss-security/2025/02/20/1
- https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html
- https://security.netapp.com/advisory/ntap-20250221-0010/
- https://www.postgresql.org/support/security/CVE-2025-1094/
Package postgresql14 updated to version 14.17-alt0.p10.1 for branch p10 in task 375278.
Closed vulnerabilities
BDU:2025-01601
Уязвимость функций PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() и PQescapeStringConn() библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю выполнить произвольный код
Modified: 2025-02-21
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
- http://www.openwall.com/lists/oss-security/2025/02/16/3
- http://www.openwall.com/lists/oss-security/2025/02/20/1
- https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html
- https://security.netapp.com/advisory/ntap-20250221-0010/
- https://www.postgresql.org/support/security/CVE-2025-1094/
Package postgresql13 updated to version 13.20-alt0.p10.1 for branch p10 in task 375278.
Closed vulnerabilities
BDU:2025-01601
Уязвимость функций PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() и PQescapeStringConn() библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю выполнить произвольный код
Modified: 2025-02-21
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
- http://www.openwall.com/lists/oss-security/2025/02/16/3
- http://www.openwall.com/lists/oss-security/2025/02/20/1
- https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html
- https://security.netapp.com/advisory/ntap-20250221-0010/
- https://www.postgresql.org/support/security/CVE-2025-1094/
Package postgresql15-1C updated to version 15.12-alt0.p10.1 for branch p10 in task 375278.
Closed vulnerabilities
BDU:2025-01601
Уязвимость функций PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() и PQescapeStringConn() библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю выполнить произвольный код
Modified: 2025-02-21
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
- http://www.openwall.com/lists/oss-security/2025/02/16/3
- http://www.openwall.com/lists/oss-security/2025/02/20/1
- https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html
- https://security.netapp.com/advisory/ntap-20250221-0010/
- https://www.postgresql.org/support/security/CVE-2025-1094/
Package postgresql16 updated to version 16.8-alt0.p10.1 for branch p10 in task 375278.
Closed vulnerabilities
BDU:2025-01601
Уязвимость функций PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() и PQescapeStringConn() библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю выполнить произвольный код
Modified: 2025-02-21
CVE-2025-1094
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
- http://www.openwall.com/lists/oss-security/2025/02/16/3
- http://www.openwall.com/lists/oss-security/2025/02/20/1
- https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html
- https://security.netapp.com/advisory/ntap-20250221-0010/
- https://www.postgresql.org/support/security/CVE-2025-1094/
Closed vulnerabilities
Modified: 2025-02-21
CVE-2025-22866
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
Modified: 2025-03-18
CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.