[gentoo-announce] [ GLSA 202105-32 ] PostgreSQL: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202105-32 ] PostgreSQL: Multiple vulnerabilities
Date:	Wed, 26 May 2021 10:30:24
Message-Id:	`1c4e5a01-c985-686c-5f69-25b048d4e59f@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202105-32

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: PostgreSQL: Multiple vulnerabilities

9

      Date: May 26, 2021

10

      Bugs: #771942

11

        ID: 202105-32

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in PostgreSQL, the worst of

19

which could result in information disclosure.

20

21

Background

22

==========

23

24

PostgreSQL is an open source object-relational database management

25

system.

26

27

Affected packages

28

=================

29

30

     -------------------------------------------------------------------

31

      Package              /     Vulnerable     /            Unaffected

32

     -------------------------------------------------------------------

33

   1  dev-db/postgresql             < 13.2               >= 9.5.25:9.5

34

                                                         >= 9.6.21:9.6

35

                                                           >= 10.16:10

36

                                                           >= 11.11:11

37

                                                            >= 12.6:12

38

                                                            >= 13.2:13

39

40

Description

41

===========

42

43

Multiple vulnerabilities have been discovered in PostgreSQL. Please

44

review the CVE identifiers referenced below for details.

45

46

Impact

47

======

48

49

An authenticated remote attacker, by executing malicious crafted

50

queries, could possibly disclose sensitive information.

51

52

Workaround

53

==========

54

55

There is no known workaround at this time.

56

57

Resolution

58

==========

59

60

All PostgreSQL 9.5.x users should upgrade to the latest version:

61

62

   # emerge --sync

63

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.25:9.5"

64

65

All PostgreSQL 9.6.x users should upgrade to the latest version:

66

67

   # emerge --sync

68

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.21:9.6"

69

70

All PostgreSQL 10.x users should upgrade to the latest version:

71

72

   # emerge --sync

73

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.16:10"

74

75

All PostgreSQL 11.x users should upgrade to the latest version:

76

77

   # emerge --sync

78

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.11:11"

79

80

All PostgreSQL 12.x users should upgrade to the latest version:

81

82

   # emerge --sync

83

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.6:12"

84

85

All PostgreSQL 13.x users should upgrade to the latest version:

86

87

   # emerge --sync

88

   # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.2:13"

89

90

References

91

==========

92

93

[ 1 ] CVE-2021-20229

94

       https://nvd.nist.gov/vuln/detail/CVE-2021-20229

95

[ 2 ] CVE-2021-3393

96

       https://nvd.nist.gov/vuln/detail/CVE-2021-3393

97

98

Availability

99

============

100

101

This GLSA and any updates to it are available for viewing at

102

the Gentoo Security Website:

103

104

  https://security.gentoo.org/glsa/202105-32

105

106

Concerns?

107

=========

108

109

Security is a primary focus of Gentoo Linux and ensuring the

110

confidentiality and security of our users' machines is of utmost

111

importance to us. Any security concerns should be addressed to

112

security@g.o or alternatively, you may file a bug at

113

https://bugs.gentoo.org.

114

115

License

116

=======

117

118

Copyright 2021 Gentoo Foundation, Inc; referenced text

119

belongs to its owner(s).

120

121

The contents of this document are licensed under the

122

Creative Commons - Attribution / Share Alike license.

123

124

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202105-32
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: PostgreSQL: Multiple vulnerabilities
9	Date: May 26, 2021
10	Bugs: #771942
11	ID: 202105-32
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in PostgreSQL, the worst of
19	which could result in information disclosure.
20
21	Background
22	==========
23
24	PostgreSQL is an open source object-relational database management
25	system.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-db/postgresql < 13.2 >= 9.5.25:9.5
34	>= 9.6.21:9.6
35	>= 10.16:10
36	>= 11.11:11
37	>= 12.6:12
38	>= 13.2:13
39
40	Description
41	===========
42
43	Multiple vulnerabilities have been discovered in PostgreSQL. Please
44	review the CVE identifiers referenced below for details.
45
46	Impact
47	======
48
49	An authenticated remote attacker, by executing malicious crafted
50	queries, could possibly disclose sensitive information.
51
52	Workaround
53	==========
54
55	There is no known workaround at this time.
56
57	Resolution
58	==========
59
60	All PostgreSQL 9.5.x users should upgrade to the latest version:
61
62	# emerge --sync
63	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.25:9.5"
64
65	All PostgreSQL 9.6.x users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.21:9.6"
69
70	All PostgreSQL 10.x users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.16:10"
74
75	All PostgreSQL 11.x users should upgrade to the latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.11:11"
79
80	All PostgreSQL 12.x users should upgrade to the latest version:
81
82	# emerge --sync
83	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.6:12"
84
85	All PostgreSQL 13.x users should upgrade to the latest version:
86
87	# emerge --sync
88	# emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.2:13"
89
90	References
91	==========
92
93	[ 1 ] CVE-2021-20229
94	https://nvd.nist.gov/vuln/detail/CVE-2021-20229
95	[ 2 ] CVE-2021-3393
96	https://nvd.nist.gov/vuln/detail/CVE-2021-3393
97
98	Availability
99	============
100
101	This GLSA and any updates to it are available for viewing at
102	the Gentoo Security Website:
103
104	https://security.gentoo.org/glsa/202105-32
105
106	Concerns?
107	=========
108
109	Security is a primary focus of Gentoo Linux and ensuring the
110	confidentiality and security of our users' machines is of utmost
111	importance to us. Any security concerns should be addressed to
112	security@g.o or alternatively, you may file a bug at
113	https://bugs.gentoo.org.
114
115	License
116	=======
117
118	Copyright 2021 Gentoo Foundation, Inc; referenced text
119	belongs to its owner(s).
120
121	The contents of this document are licensed under the
122	Creative Commons - Attribution / Share Alike license.
123
124	https://creativecommons.org/licenses/by-sa/2.5