USN-6656-1: PostgreSQL vulnerability
26 February 2024
PostgreSQL could be made to run arbitrary SQL.
Releases
Packages
- postgresql-12 - Object-relational SQL database
- postgresql-14 - Object-relational SQL database
- postgresql-15 - Object-relational SQL database
Details
It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 23.10
Ubuntu 22.04
Ubuntu 20.04
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References
Related notices
- USN-6656-2: postgresql-plpython-9.5, postgresql-server-dev-9.5, libecpg-compat3, libpq5, postgresql-client-9.5, postgresql-9.5, postgresql-plperl-9.5, postgresql-doc-9.5, postgresql-plpython3-9.5, libecpg-dev, libpq-dev, libpgtypes3, postgresql-contrib-9.5, libecpg6, postgresql-pltcl-9.5