USN-6656-1: PostgreSQL vulnerability
24841
25 July 2024
25 July 2024
CLOSED
MEDIUM
CVE-2024-0985
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 22.04
It was discovered that PostgreSQL incorrectly handled dropping privileges when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or automatic system were tricked into running a specially crafted command, a remote attacker could possibly use this issue to execute arbitrary SQL functions. Update Instructions: Run `sudo pro fix USN-6656-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: postgresql-server-dev-12 - 12.18-0ubuntu0.20.04.1 libecpg6 - 12.18-0ubuntu0.20.04.1 libpq-dev - 12.18-0ubuntu0.20.04.1 libpgtypes3 - 12.18-0ubuntu0.20.04.1 postgresql-plperl-12 - 12.18-0ubuntu0.20.04.1 postgresql-pltcl-12 - 12.18-0ubuntu0.20.04.1 libecpg-dev - 12.18-0ubuntu0.20.04.1 postgresql-plpython3-12 - 12.18-0ubuntu0.20.04.1 libpq5 - 12.18-0ubuntu0.20.04.1 postgresql-doc-12 - 12.18-0ubuntu0.20.04.1 postgresql-12 - 12.18-0ubuntu0.20.04.1 postgresql-client-12 - 12.18-0ubuntu0.20.04.1 libecpg-compat3 - 12.18-0ubuntu0.20.04.1 No subscription required.
Fixed and Unaffected VMware Products and Versions
- Cflinixfs4
- 1.74.0 or greater
- CF Deployment
- 39.1.0 or greater
- Isolation Segment
- 4.0.19+LTS-T or greater
- 5.0.9 or greater
- 6.0.x unaffected
- VMware Tanzu Applications Service for VMs
- 4.0.19+LTS-T or greater
- 5.0.9 or greater
- 6.0.x unaffected
References
https://ubuntu.com/security/notices/USN-6656-1
https://www.cloudfoundry.org/blog/usn-6656-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6656-1
History
2024-02-26: Initial vulnerability report published.