ALT-PU-2023-5636-3
Package postgresql14 updated to version 14.9-alt0.p10.1 for branch c10f1 in task 329540.
Closed vulnerabilities
BDU:2023-03024
Уязвимость компонента Schema Handler системы управления базами данных PostgreSQL, позволяющая нарушителю обойти ограничения безопасности
BDU:2023-03247
Уязвимость системы управления базами данных PostgreSQL, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код
BDU:2023-04767
Уязвимость системы управления базами данных PostgreSQL, связанная с возможностью SQL-инъекций в расширениях, позволяющая нарушителю выполнять произвольный SQL-запрос к базе данных
Modified: 2025-01-06
CVE-2023-2454
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
- https://access.redhat.com/security/cve/CVE-2023-2454
- https://access.redhat.com/security/cve/CVE-2023-2454
- https://security.netapp.com/advisory/ntap-20230706-0006/
- https://security.netapp.com/advisory/ntap-20230706-0006/
- https://www.postgresql.org/support/security/CVE-2023-2454/
- https://www.postgresql.org/support/security/CVE-2023-2454/
Modified: 2025-01-06
CVE-2023-2455
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
- https://access.redhat.com/security/cve/CVE-2023-2455
- https://access.redhat.com/security/cve/CVE-2023-2455
- https://security.netapp.com/advisory/ntap-20230706-0006/
- https://security.netapp.com/advisory/ntap-20230706-0006/
- https://www.postgresql.org/support/security/CVE-2023-2455/
- https://www.postgresql.org/support/security/CVE-2023-2455/
Modified: 2024-11-21
CVE-2023-39417
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
- RHSA-2023:7545
- RHSA-2023:7579
- RHSA-2023:7580
- RHSA-2023:7581
- RHSA-2023:7616
- RHSA-2023:7656
- RHSA-2023:7666
- RHSA-2023:7667
- RHSA-2023:7694
- RHSA-2023:7695
- RHSA-2023:7714
- RHSA-2023:7770
- RHSA-2023:7772
- RHSA-2023:7784
- RHSA-2023:7785
- RHSA-2023:7883
- RHSA-2023:7884
- RHSA-2023:7885
- RHSA-2024:0304
- RHSA-2024:0332
- RHSA-2024:0337
- https://access.redhat.com/security/cve/CVE-2023-39417
- RHBZ#2228111
- https://www.postgresql.org/support/security/CVE-2023-39417
- RHSA-2023:7545
- https://lists.debian.org/debian-lts-announce/2023/10/msg00003.html
- https://security.netapp.com/advisory/ntap-20230915-0002/
- https://www.debian.org/security/2023/dsa-5553
- https://www.debian.org/security/2023/dsa-5554
- https://www.postgresql.org/support/security/CVE-2023-39417
- RHBZ#2228111
- https://access.redhat.com/security/cve/CVE-2023-39417
- RHSA-2024:0337
- RHSA-2024:0332
- RHSA-2024:0304
- RHSA-2023:7885
- RHSA-2023:7884
- RHSA-2023:7883
- RHSA-2023:7785
- RHSA-2023:7784
- RHSA-2023:7772
- RHSA-2023:7770
- RHSA-2023:7714
- RHSA-2023:7695
- RHSA-2023:7694
- RHSA-2023:7667
- RHSA-2023:7666
- RHSA-2023:7656
- RHSA-2023:7616
- RHSA-2023:7581
- RHSA-2023:7580
- RHSA-2023:7579