Описание
Security update for postgresql13
This update for postgresql13 fixes the following issues:
Updated to version 13.11:
- CVE-2023-2454: Fixed an issue where a user having permission to create a schema could hijack the privileges of a security definer function or extension script (bsc#1211228).
- CVE-2023-2455: Fixed an issue that could allow a user to see or modify rows that should have been invisible (bsc#1211229).
- Internal fixes (bsc#1210303).
Список пакетов
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Linux Enterprise Software Development Kit 12 SP5
Ссылки
- Link for SUSE-SU-2023:2201-1
- E-Mail link for SUSE-SU-2023:2201-1
- SUSE Security Ratings
- SUSE Bug 1210303
- SUSE Bug 1211228
- SUSE Bug 1211229
- SUSE CVE CVE-2023-2454 page
- SUSE CVE CVE-2023-2455 page
Описание
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
Затронутые продукты
Ссылки
- CVE-2023-2454
- SUSE Bug 1211228
Описание
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Затронутые продукты
Ссылки
- CVE-2023-2455
- SUSE Bug 1211229