Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-5553-1 postgresql-15 -- security update

Related Vulnerabilities: CVE-2023-5868   CVE-2023-5869   CVE-2023-5870   CVE-2023-39417   CVE-2023-39418  

Several vulnerabilities have been discovered in the PostgreSQL database system. CVE-2023-5868 Jingzhou Fu discovered a memory disclosure flaw in aggregate function calls. CVE-2023-5869 Pedro Gallegos reported integer overflow flaws resulting in buffer overflows in the array modification functions. CVE-2023-5870 Hemanth Sandrana and Mahendrakar Srinivasarao reported that the pg_cancel_backend role can signal certain superuser processes, potentially resulting in denial of service. CVE-2023-39417 Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg reported that an extension script using @substitutions@ within quoting may allow to perform an SQL injection for an attacker having database-level CREATE privileges. CVE-2023-39418 Dean Rasheed reported that the MERGE command fails to enforce UPDATE or SELECT row security policies. For the stable distribution (bookworm), these problems have been fixed in version 15.5-0+deb12u1. We recommend that you upgrade your postgresql-15 packages. For the detailed security status of postgresql-15 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-15

Source

Debian Security Advisory

DSA-5553-1 postgresql-15 -- security update

Date Reported:
13 Nov 2023
Affected Packages:
postgresql-15
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870, CVE-2023-39417, CVE-2023-39418.
More information:

Several vulnerabilities have been discovered in the PostgreSQL database system.

  • CVE-2023-5868

    Jingzhou Fu discovered a memory disclosure flaw in aggregate function calls.

  • CVE-2023-5869

    Pedro Gallegos reported integer overflow flaws resulting in buffer overflows in the array modification functions.

  • CVE-2023-5870

    Hemanth Sandrana and Mahendrakar Srinivasarao reported that the pg_cancel_backend role can signal certain superuser processes, potentially resulting in denial of service.

  • CVE-2023-39417

    Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg reported that an extension script using @substitutions@ within quoting may allow to perform an SQL injection for an attacker having database-level CREATE privileges.

  • CVE-2023-39418

    Dean Rasheed reported that the MERGE command fails to enforce UPDATE or SELECT row security policies.

For the stable distribution (bookworm), these problems have been fixed in version 15.5-0+deb12u1.

We recommend that you upgrade your postgresql-15 packages.

For the detailed security status of postgresql-15 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-15

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started