ELSA-2024-8495

Опубликовано: 16 дек. 2024

Источник: oracle-oval

Платформа: Oracle Linux 7

Описание

ELSA-2024-8495: postgresql security update (IMPORTANT)

[9.2.24-9.0.1]

Backport fix for CVE-2023-7348 [Orabug: 37220738]
Adds restriction on non-system views

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

postgresql-static

9.2.24-9.0.1.el7_9

postgresql-upgrade

9.2.24-9.0.1.el7_9

postgresql

9.2.24-9.0.1.el7_9

postgresql-contrib

9.2.24-9.0.1.el7_9

postgresql-devel

9.2.24-9.0.1.el7_9

postgresql-docs

9.2.24-9.0.1.el7_9

postgresql-libs

9.2.24-9.0.1.el7_9

postgresql-plperl

9.2.24-9.0.1.el7_9

postgresql-plpython

9.2.24-9.0.1.el7_9

postgresql-pltcl

9.2.24-9.0.1.el7_9

postgresql-server

9.2.24-9.0.1.el7_9

postgresql-test

9.2.24-9.0.1.el7_9

Oracle Linux x86_64

postgresql-static

9.2.24-9.0.1.el7_9

postgresql-upgrade

9.2.24-9.0.1.el7_9

postgresql

9.2.24-9.0.1.el7_9

postgresql-contrib

9.2.24-9.0.1.el7_9

postgresql-devel

9.2.24-9.0.1.el7_9

postgresql-docs

9.2.24-9.0.1.el7_9

postgresql-libs

9.2.24-9.0.1.el7_9

postgresql-plperl

9.2.24-9.0.1.el7_9

postgresql-plpython

9.2.24-9.0.1.el7_9

postgresql-pltcl

9.2.24-9.0.1.el7_9

postgresql-server

9.2.24-9.0.1.el7_9

postgresql-test

9.2.24-9.0.1.el7_9

Связанные CVE

CVE-2024-7348

Ссылки на источники

Связанные уязвимости

CVE-2024-7348

CVSS3: 8.8

ubuntu

11 месяцев назад

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.