USN-6570-1: PostgreSQL vulnerabilities
24806
07 August 2024
23 July 2024
CLOSED
MEDIUM
CVE-2023-5869;CVE-2023-5870
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 16.04
Pedro Gallegos discovered that PostgreSQL incorrectly handled modifying certain SQL array values. A remote attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. (CVE-2023-5869) Hemanth Sandrana and Mahendrakar Srinivasarao discovered that PostgreSQL allowed the pg_signal_backend role to signal certain superuser processes, contrary to expectations. (CVE-2023-5870) Update Instructions: Run `sudo pro fix USN-6570-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: postgresql-doc-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-plperl-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-server-dev-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-plpython-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 libecpg6 - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-client-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 libpq-dev - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-contrib-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 libpgtypes3 - 9.5.25-0ubuntu0.16.04.1+esm6 libecpg-dev - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-pltcl-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 libpq5 - 9.5.25-0ubuntu0.16.04.1+esm6 postgresql-plpython3-9.5 - 9.5.25-0ubuntu0.16.04.1+esm6 libecpg-compat3 - 9.5.25-0ubuntu0.16.04.1+esm6 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.
Fixed VMware Products and Versions
- Operations Manager
- 2.10.9 or greater
References
https://ubuntu.com/security/notices/USN-6570-1
https://www.cloudfoundry.org/blog/usn-6570-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6570-1
History
2024-01-09: Initial vulnerability report published.