[gentoo-announce] [ GLSA 202012-07 ] PostgreSQL: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202012-07 ] PostgreSQL: Multiple vulnerabilities
Date:	Mon, 07 Dec 2020 00:44:41
Message-Id:	`183527c9-0029-b002-aeb2-5e28c929e5c9@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202012-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: PostgreSQL: Multiple vulnerabilities

9

      Date: December 07, 2020

10

      Bugs: #754363

11

        ID: 202012-07

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in PostgreSQL, the worst of

19

which could result in arbitrary code execution.

20

21

Background

22

==========

23

24

PostgreSQL is an open source object-relational database management

25

system.

26

27

Affected packages

28

=================

29

30

     -------------------------------------------------------------------

31

      Package              /     Vulnerable     /            Unaffected

32

     -------------------------------------------------------------------

33

   1  dev-db/postgresql             < 13.1               >= 9.5.24:9.5

34

                                                         >= 9.6.20:9.6

35

                                                           >= 10.15:10

36

                                                           >= 11.10:11

37

                                                            >= 12.5:12

38

                                                            >= 13.1:13

39

40

Description

41

===========

42

43

Multiple vulnerabilities have been discovered in PostgreSQL. Please

44

review the CVE identifiers referenced below for details.

45

46

Impact

47

======

48

49

A remote attacker could possibly obtain sensitive information, alter

50

SQL commands, escape PostgreSQL sandbox or execute arbitrary code with

51

the privileges of the process.

52

53

Workaround

54

==========

55

56

There is no known workaround at this time.

57

58

Resolution

59

==========

60

61

All PostgreSQL 9.5.x users should upgrade to the latest version:

62

63

   # emerge --sync

64

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.24:9.5"

65

66

All PostgreSQL 9.6.x users should upgrade to the latest version:

67

68

   # emerge --sync

69

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.20:9.6"

70

71

All PostgreSQL 10.x users should upgrade to the latest version:

72

73

   # emerge --sync

74

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.15:10"

75

76

All PostgreSQL 11.x users should upgrade to the latest version:

77

78

   # emerge --sync

79

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.10:11"

80

81

All PostgreSQL 12.x users should upgrade to the latest version:

82

83

   # emerge --sync

84

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.5:12"

85

86

All PostgreSQL 13.x users should upgrade to the latest version:

87

88

   # emerge --sync

89

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.1:13"

90

91

References

92

==========

93

94

[ 1 ] CVE-2020-25694

95

       https://nvd.nist.gov/vuln/detail/CVE-2020-25694

96

[ 2 ] CVE-2020-25695

97

       https://nvd.nist.gov/vuln/detail/CVE-2020-25695

98

[ 3 ] CVE-2020-25696

99

       https://nvd.nist.gov/vuln/detail/CVE-2020-25696

100

101

Availability

102

============

103

104

This GLSA and any updates to it are available for viewing at

105

the Gentoo Security Website:

106

107

  https://security.gentoo.org/glsa/202012-07

108

109

Concerns?

110

=========

111

112

Security is a primary focus of Gentoo Linux and ensuring the

113

confidentiality and security of our users' machines is of utmost

114

importance to us. Any security concerns should be addressed to

115

security@g.o or alternatively, you may file a bug at

116

https://bugs.gentoo.org.

117

118

License

119

=======

120

121

Copyright 2020 Gentoo Foundation, Inc; referenced text

122

belongs to its owner(s).

123

124

The contents of this document are licensed under the

125

Creative Commons - Attribution / Share Alike license.

126

127

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202012-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PostgreSQL: Multiple vulnerabilities
9	Date: December 07, 2020
10	Bugs: #754363
11	ID: 202012-07
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in PostgreSQL, the worst of
19	which could result in arbitrary code execution.
20
21	Background
22	==========
23
24	PostgreSQL is an open source object-relational database management
25	system.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-db/postgresql < 13.1 >= 9.5.24:9.5
34	>= 9.6.20:9.6
35	>= 10.15:10
36	>= 11.10:11
37	>= 12.5:12
38	>= 13.1:13
39
40	Description
41	===========
42
43	Multiple vulnerabilities have been discovered in PostgreSQL. Please
44	review the CVE identifiers referenced below for details.
45
46	Impact
47	======
48
49	A remote attacker could possibly obtain sensitive information, alter
50	SQL commands, escape PostgreSQL sandbox or execute arbitrary code with
51	the privileges of the process.
52
53	Workaround
54	==========
55
56	There is no known workaround at this time.
57
58	Resolution
59	==========
60
61	All PostgreSQL 9.5.x users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.24:9.5"
65
66	All PostgreSQL 9.6.x users should upgrade to the latest version:
67
68	# emerge --sync
69	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.20:9.6"
70
71	All PostgreSQL 10.x users should upgrade to the latest version:
72
73	# emerge --sync
74	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.15:10"
75
76	All PostgreSQL 11.x users should upgrade to the latest version:
77
78	# emerge --sync
79	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.10:11"
80
81	All PostgreSQL 12.x users should upgrade to the latest version:
82
83	# emerge --sync
84	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.5:12"
85
86	All PostgreSQL 13.x users should upgrade to the latest version:
87
88	# emerge --sync
89	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.1:13"
90
91	References
92	==========
93
94	[ 1 ] CVE-2020-25694
95	https://nvd.nist.gov/vuln/detail/CVE-2020-25694
96	[ 2 ] CVE-2020-25695
97	https://nvd.nist.gov/vuln/detail/CVE-2020-25695
98	[ 3 ] CVE-2020-25696
99	https://nvd.nist.gov/vuln/detail/CVE-2020-25696
100
101	Availability
102	============
103
104	This GLSA and any updates to it are available for viewing at
105	the Gentoo Security Website:
106
107	https://security.gentoo.org/glsa/202012-07
108
109	Concerns?
110	=========
111
112	Security is a primary focus of Gentoo Linux and ensuring the
113	confidentiality and security of our users' machines is of utmost
114	importance to us. Any security concerns should be addressed to
115	security@g.o or alternatively, you may file a bug at
116	https://bugs.gentoo.org.
117
118	License
119	=======
120
121	Copyright 2020 Gentoo Foundation, Inc; referenced text
122	belongs to its owner(s).
123
124	The contents of this document are licensed under the
125	Creative Commons - Attribution / Share Alike license.
126
127	https://creativecommons.org/licenses/by-sa/2.5