-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2829
posgresql-9.6 security update fixes arbitrary SQL execution by superuser
18 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: posgresql-9.6
Publisher: Debian
Operating System: Debian GNU/Linux 9
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14350
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2331
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running posgresql-9.6 check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2331-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
August 17, 2020 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : posgresql-9.6
Version : 9.6.19-0+deb9u1
CVE ID : CVE-2020-14350
Andres Freund found an issue in the PostgreSQL database system where an
uncontrolled search path could allow users to run arbitrary SQL functions
with elevated priviledges when a superuser runs certain `CREATE EXTENSION'
statements.
For Debian 9 stretch, this problem has been fixed in version
9.6.19-0+deb9u1.
We recommend that you upgrade your posgresql-9.6 packages.
For the detailed security status of posgresql-9.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/posgresql-9.6
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl86PpgACgkQnUbEiOQ2
gwLFKw//VEzyGXBuKDJcQ5pWfHVskp6kHawBfVStLoxtkHblW8GCmctppxYFbQcy
AwgFdsh3zJtlRTbNwfyhVx5x/i/vxoQa2yyOXrBDZNSoiLCJNra7bGrdGqA3SfSf
R76D6bmk1yEACnlA22ig8XiykrpBvAELr/OEx7TUKFZsL2QzkASFBf2ioBYb+Rp2
4cpxDoGNYWglBjCPhUXKD/6gJhYNRAjPX5qk0C4kX7MreYOaHO2WPdfRtjElfWY0
OWiEjb6Dv3DsgJ79neP844wbbLVHFReqHAzR9Pa0GglwoJE7Pn+l1tjeEoMZ4D0A
zTKcotoCdQNCxvCCDtjODDf2Kn1FpcVM9h8ytncfk97JL9wkjPrMRgrocelOOjyG
wtutMg2xvOjtDRBNYPSppylPp/n7euLySpZ3wI5xekQ01o0JtKQGzD7S1+JSZRW3
St7v98fySJWk/bpHs/JX0j+Bd277wWaIzwKEFLuN0Mz7BgEm28bAz+JLoArHLJYl
dMiyD7bKy80jbedQNkjztjDteAZfPuJPOymP2ljyL2r+/cZyrBpm/iZp939NyPY/
OP9Hp4R03QQgEWsnm0wcYqYiBWBmwtH9vNdz0gEVS49/2D9Wia2fM2zKiuYJ+ZxK
smgbz9euQHaZ2N6zyKYu69sO3dBF7rOZZmKGq2MdzUGYQ3mOhTc=
=6oiN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXztDGuNLKJtyKPYoAQjREw//fWvEhRHAvCnRVZ6/svTcDxW0cVorXo59
QnZCK9s4ZVdYFto3GNzqdV+LAAoZeIsbIqrENLjOeeoN5emece+k0Gi8JH+K7tee
qonKbEGJHRXwWTHUHBCi4gLwIZMuPgzuXHHSw9QnrYf8hMnRqwnKINvZ90rm1yKh
Q/ZwFfAXWTY5sIOpGgreM3gCDUmmxRZJ7zzw/9Ywp26bQaubDDdHYkQn4aq85PZS
FSPZmJyLIFkXAi+fPRry5vMEPJE6umVAku/6hX4cdueR72QccaFHmNVLcmPkFcJc
nAHIfLOLhqnhJQpNheTIsNeczXRs8Vgsg1argehOyw2rtHTomJAPCGhul3Ojpi6T
98BqEf3Kmwj0hTqrX2lGhm6NoJ2TkpgePfV1EuLcpFg+Ww2zYiBIvC3jCGmNtZ/R
dbdbrdCZnczUZgvQTnzn0E01zjjxAVXhIfR+AJ3wxty7O8B9bJ/2JfJIldKYaXVX
LeXvp6BPBUNIID6uavNcwF8qXAlJ8R+YPaBysW0KWS4Ru+81wocYBQfQ5Mpk43dw
THQnA28GcIFCb6oFUGarDu1cZ+173sw3y2MZ2+nQcQQ26sVqkupPPB3Y0pkLvQnR
FZs/ze/D+0zto9KqzPLI2cNfxUpM84UhHmeqH2s84KmQuDpOtGosvgUJBWXcGPI2
YCDdlJweMwc=
=pLWo
-----END PGP SIGNATURE-----
https://www.malwaredevil.com/2020/08/18/esb-2020-2829-winunix-linuxdebian-posgresql-9-6-execute-arbitrary-code-commands-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2829-winunix-linuxdebian-posgresql-9-6-execute-arbitrary-code-commands-existing-account
No comments:
Post a Comment