Several vulnerabilities have been discovered in the PostgreSQL database system. CVE-2023-5868 Jingzhou Fu discovered a memory disclosure flaw in aggregate function calls. CVE-2023-5869 Pedro Gallegos reported integer overflow flaws resulting in buffer overflows in the array modification functions. CVE-2023-5870 Hemanth Sandrana and Mahendrakar Srinivasarao reported that the pg_cancel_backend role can signal certain superuser processes, potentially resulting in denial of service. CVE-2023-39417 Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg reported that an extension script using @substitutions@ within quoting may allow to perform an SQL injection for an attacker having database-level CREATE privileges. For the oldstable distribution (bullseye), these problems have been fixed in version 13.13-0+deb11u1. We recommend that you upgrade your postgresql-13 packages. For the detailed security status of postgresql-13 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-13
Several vulnerabilities have been discovered in the PostgreSQL database system.
Jingzhou Fu discovered a memory disclosure flaw in aggregate function calls.
Pedro Gallegos reported integer overflow flaws resulting in buffer overflows in the array modification functions.
Hemanth Sandrana and Mahendrakar Srinivasarao reported that the pg_cancel_backend role can signal certain superuser processes, potentially resulting in denial of service.
Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg reported that an extension script using @substitutions@ within quoting may allow to perform an SQL injection for an attacker having database-level CREATE privileges.
For the oldstable distribution (bullseye), these problems have been fixed in version 13.13-0+deb11u1.
We recommend that you upgrade your postgresql-13 packages.
For the detailed security status of postgresql-13 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-13