249 lines
12 KiB
JSON
249 lines
12 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20235633",
|
||
"Version": "oval:org.altlinux.errata:def:20235633",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2023-5633: package `postgresql15` update to version 15.4-alt0.p10.1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c10f1"
|
||
],
|
||
"Products": [
|
||
"ALT SP Workstation",
|
||
"ALT SP Server"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2023-5633",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-5633",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2023-03024",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2023-03024",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2023-03247",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2023-03247",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2023-04767",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2023-04767",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2023-04768",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2023-04768",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2023-2454",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2023-2455",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2023-39417",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2023-39418",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades postgresql15 to version 15.4-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-03024: Уязвимость компонента Schema Handler системы управления базами данных PostgreSQL, позволяющая нарушителю обойти ограничения безопасности\n\n * BDU:2023-03247: Уязвимость системы управления базами данных PostgreSQL, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код\n\n * BDU:2023-04767: Уязвимость системы управления базами данных PostgreSQL, связанная с возможностью SQL-инъекций в расширениях, позволяющая нарушителю выполнять произвольный SQL-запрос к базе данных\n\n * BDU:2023-04768: Уязвимость системы управления базами данных PostgreSQL, связанная с недостатками разграничения доступа, позволяющая нарушителю читать и обновлять защищенные данные\n\n * CVE-2023-2454: schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.\n\n * CVE-2023-2455: Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.\n\n * CVE-2023-39417: IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.\n\n * CVE-2023-39418: A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2023-09-20"
|
||
},
|
||
"Updated": {
|
||
"Date": "2023-09-20"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2023-03024",
|
||
"CVSS": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
|
||
"CWE": "CWE-254",
|
||
"Href": "https://bdu.fstec.ru/vul/2023-03024",
|
||
"Impact": "Low",
|
||
"Public": "20230511"
|
||
},
|
||
{
|
||
"ID": "BDU:2023-03247",
|
||
"CVSS": "AV:N/AC:L/Au:M/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-264",
|
||
"Href": "https://bdu.fstec.ru/vul/2023-03247",
|
||
"Impact": "High",
|
||
"Public": "20230511"
|
||
},
|
||
{
|
||
"ID": "BDU:2023-04767",
|
||
"CVSS": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-89",
|
||
"Href": "https://bdu.fstec.ru/vul/2023-04767",
|
||
"Impact": "High",
|
||
"Public": "20230801"
|
||
},
|
||
{
|
||
"ID": "BDU:2023-04768",
|
||
"CVSS": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
|
||
"CWE": "CWE-264",
|
||
"Href": "https://bdu.fstec.ru/vul/2023-04768",
|
||
"Impact": "Low",
|
||
"Public": "20230801"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2023-2454",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454",
|
||
"Impact": "High",
|
||
"Public": "20230609"
|
||
},
|
||
{
|
||
"ID": "CVE-2023-2455",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455",
|
||
"Impact": "Low",
|
||
"Public": "20230609"
|
||
},
|
||
{
|
||
"ID": "CVE-2023-39417",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-89",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
|
||
"Impact": "High",
|
||
"Public": "20230811"
|
||
},
|
||
{
|
||
"ID": "CVE-2023-39418",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418",
|
||
"Impact": "Low",
|
||
"Public": "20230811"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:10",
|
||
"cpe:/o:alt:spserver:10"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633001",
|
||
"Comment": "libecpg6 is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633002",
|
||
"Comment": "libecpg6-devel is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633003",
|
||
"Comment": "libecpg6-devel-static is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633004",
|
||
"Comment": "libpq5 is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633005",
|
||
"Comment": "libpq5-devel is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633006",
|
||
"Comment": "libpq5-devel-static is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633007",
|
||
"Comment": "postgresql-devel is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633008",
|
||
"Comment": "postgresql-devel-static is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633009",
|
||
"Comment": "postgresql15 is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633010",
|
||
"Comment": "postgresql15-contrib is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633011",
|
||
"Comment": "postgresql15-docs is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633012",
|
||
"Comment": "postgresql15-llvmjit is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633013",
|
||
"Comment": "postgresql15-perl is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633014",
|
||
"Comment": "postgresql15-python is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633015",
|
||
"Comment": "postgresql15-server is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633016",
|
||
"Comment": "postgresql15-server-devel is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633017",
|
||
"Comment": "postgresql15-tcl is earlier than 0:15.4-alt0.p10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20235633018",
|
||
"Comment": "rpm-macros-postgresql is earlier than 0:15.4-alt0.p10.1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |