USN-6538-1: PostgreSQL vulnerabilities
24799
23 July 2024
23 July 2024
CLOSED
MEDIUM
CVE-2023-5869;CVE-2023-5870;CVE-2023-5868
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 22.04
Jingzhou Fu discovered that PostgreSQL incorrectly handled certain unknown arguments in aggregate function calls. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2023-5868) Pedro Gallegos discovered that PostgreSQL incorrectly handled modifying certain SQL array values. A remote attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. (CVE-2023-5869) Hemanth Sandrana and Mahendrakar Srinivasarao discovered that PostgreSQL allowed the pg_signal_backend role to signal certain superuser processes, contrary to expectations. (CVE-2023-5870) Update Instructions: Run `sudo pro fix USN-6538-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: postgresql-server-dev-12 - 12.17-0ubuntu0.20.04.1 libecpg6 - 12.17-0ubuntu0.20.04.1 libpq-dev - 12.17-0ubuntu0.20.04.1 libpgtypes3 - 12.17-0ubuntu0.20.04.1 postgresql-plperl-12 - 12.17-0ubuntu0.20.04.1 postgresql-pltcl-12 - 12.17-0ubuntu0.20.04.1 libecpg-dev - 12.17-0ubuntu0.20.04.1 postgresql-plpython3-12 - 12.17-0ubuntu0.20.04.1 libpq5 - 12.17-0ubuntu0.20.04.1 postgresql-doc-12 - 12.17-0ubuntu0.20.04.1 postgresql-12 - 12.17-0ubuntu0.20.04.1 postgresql-client-12 - 12.17-0ubuntu0.20.04.1 libecpg-compat3 - 12.17-0ubuntu0.20.04.1 No subscription required.
Fixed and/or Unaffected VMware Products and Versions
- Cflinuxfs4
- 1.57.0 or greater
- CF Deployment
- 35.0.0 or greater
- Jammy Stemcells
- 1.327 or greater
- Isolation Segment
- 4.0.14+LTS-T or greater
- 5.0.4 or greater
- 6.0.x unaffected
- VMware Tanzu Application Service for VMs
- 4.0.14+LTS-T or greater
- 5.0.4 or greater
- 6.0.x unaffected
References
https://ubuntu.com/security/notices/USN-6538-1
https://www.cloudfoundry.org/blog/usn-6538-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6538-1
History
2023-12-06: Initial vulnerability report published.