Ubuntu Security Notice 4633-1 - Peter Eisentraut discovered that PostgreSQL incorrectly handled connection security settings. Client applications could possibly be connecting with certain security parameters dropped, contrary to expectations. Etienne Stalmans discovered that PostgreSQL incorrectly handled the security restricted operation sandbox. An authenticated remote attacker could possibly use this issue to execute arbitrary SQL functions as a superuser. Various other issues were also addressed.
fa3e5630ab12c007ca85664a3fc6be995346cae9c9834ee1ed64a7f83b3e4850
==========================================================================
Ubuntu Security Notice USN-4633-1
November 17, 2020
postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
- postgresql-9.5: Object-relational SQL database
Details:
Peter Eisentraut discovered that PostgreSQL incorrectly handled connection
security settings. Client applications could possibly be connecting with
certain security parameters dropped, contrary to expectations.
(CVE-2020-25694)
Etienne Stalmans discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox. An authenticated remote attacker
could possibly use this issue to execute arbitrary SQL functions as a
superuser. (CVE-2020-25695)
Nick Cleaton discovered that PostgreSQL incorrectly handled the \gset
meta-command. A remote attacker with a compromised server could possibly
use this issue to execute arbitrary code. (CVE-2020-25696)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
postgresql-12 12.5-0ubuntu0.20.10.1
Ubuntu 20.04 LTS:
postgresql-12 12.5-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
postgresql-10 10.15-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
postgresql-9.5 9.5.24-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://usn.ubuntu.com/4633-1
CVE-2020-25694, CVE-2020-25695, CVE-2020-25696
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-12/12.5-0ubuntu0.20.10.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.5-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.15-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.24-0ubuntu0.16.04.1