Gentoo Archives: gentoo-announce

From: Sam James <sam@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202211-04 ] PostgreSQL: Multiple Vulnerabilities
Date: Sat, 19 Nov 2022 21:46:43
Message-Id: 7463CB29-0A67-4DEE-9D41-F1F0790ED133@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202211-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: PostgreSQL: Multiple Vulnerabilities
9 Date: November 19, 2022
10 Bugs: #793734, #808984, #823125, #865255
11 ID: 202211-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in PostgreSQL, the worst of
19 which could result in remote code execution.
20
21 Background
22 ==========
23
24 PostgreSQL is an open source object-relational database management
25 system.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 dev-db/postgresql < 10.22 >= 10.22:10
34 < 11.17:11 >= 11.17:11
35 < 12.12:12 >= 12.12:12
36 < 13.8:13 >= 13.8:13
37 < 14.5:14 >= 14.5
38
39 Description
40 ===========
41
42 Multiple vulnerabilities have been discovered in PostgreSQL. Please
43 review the CVE identifiers referenced below for details.
44
45 Impact
46 ======
47
48 Please review the referenced CVE identifiers for details.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All PostgreSQL 10.x users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.22:10"
62
63 All PostgreSQL 11.x users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.17:11"
67
68 All PostgreSQL 12.x users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.12:12"
72
73 All PostgreSQL 13.x users should upgrade to the latest version:
74
75 # emerge --sync
76 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.8:13"
77
78 All PostgreSQL 14.x users should upgrade to the latest version:
79
80 # emerge --sync
81 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.5:14"
82
83 References
84 ==========
85
86 [ 1 ] CVE-2021-3677
87 https://nvd.nist.gov/vuln/detail/CVE-2021-3677
88 [ 2 ] CVE-2021-23214
89 https://nvd.nist.gov/vuln/detail/CVE-2021-23214
90 [ 3 ] CVE-2021-23222
91 https://nvd.nist.gov/vuln/detail/CVE-2021-23222
92 [ 4 ] CVE-2021-32027
93 https://nvd.nist.gov/vuln/detail/CVE-2021-32027
94 [ 5 ] CVE-2021-32028
95 https://nvd.nist.gov/vuln/detail/CVE-2021-32028
96 [ 6 ] CVE-2022-1552
97 https://nvd.nist.gov/vuln/detail/CVE-2022-1552
98 [ 7 ] CVE-2022-2625
99 https://nvd.nist.gov/vuln/detail/CVE-2022-2625
100
101 Availability
102 ============
103
104 This GLSA and any updates to it are available for viewing at
105 the Gentoo Security Website:
106
107 https://security.gentoo.org/glsa/202211-04
108
109 Concerns?
110 =========
111
112 Security is a primary focus of Gentoo Linux and ensuring the
113 confidentiality and security of our users' machines is of utmost
114 importance to us. Any security concerns should be addressed to
115 security@g.o or alternatively, you may file a bug at
116 https://bugs.gentoo.org.
117
118 License
119 =======
120
121 Copyright 2022 Gentoo Foundation, Inc; referenced text
122 belongs to its owner(s).
123
124 The contents of this document are licensed under the
125 Creative Commons - Attribution / Share Alike license.
126
127 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature