Ubuntu Security Notice 4472-1 - Noah Misch discovered that PostgreSQL incorrectly handled the search_path setting when used with logical replication. A remote attacker could possibly use this issue to execute arbitrary SQL code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Andres Freund discovered that PostgreSQL incorrectly handled search path elements in CREATE EXTENSION. A remote attacker could possibly use this issue to execute arbitrary SQL code. Various other issues were also addressed.
887d5dd10d4beb7ccbc082cdcdc93721cd7fc006bdc22958985695060b8e5288
==========================================================================
Ubuntu Security Notice USN-4472-1
August 25, 2020
postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
- postgresql-9.5: Object-relational SQL database
Details:
Noah Misch discovered that PostgreSQL incorrectly handled the search_path
setting when used with logical replication. A remote attacker could
possibly use this issue to execute arbitrary SQL code. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14349)
Andres Freund discovered that PostgreSQL incorrectly handled search path
elements in CREATE EXTENSION. A remote attacker could possibly use this
issue to execute arbitrary SQL code. (CVE-2020-14350)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
postgresql-12 12.4-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
postgresql-10 10.14-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
postgresql-9.5 9.5.23-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://usn.ubuntu.com/4472-1
CVE-2020-14349, CVE-2020-14350
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-12/12.4-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.14-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.23-0ubuntu0.16.04.1