USN-5440-1: PostgreSQL vulnerability
24 May 2022
PostgreSQL could be made to execute commands as the superuser.
Releases
Packages
- postgresql-10 - Object-relational SQL database
- postgresql-12 - Object-relational SQL database
- postgresql-13 - Object-relational SQL database
- postgresql-14 - Object-relational SQL database
Details
Alexander Lakhin discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox when a privileged user is maintaining
another user's objects. An attacker having permission to create non-temp
objects can use this issue to execute arbitrary commands as the superuser.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04
Ubuntu 21.10
Ubuntu 20.04
Ubuntu 18.04
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References
Related notices
- USN-5676-1: postgresql-client-9.5, postgresql-9.5, postgresql-plpython3-9.5, libpq5, libecpg-compat3, postgresql-doc-9.5, postgresql-pltcl-9.5, postgresql-server-dev-9.5, libecpg-dev, postgresql-plpython-9.5, libpgtypes3, postgresql-plperl-9.5, libecpg6, libpq-dev, postgresql-contrib-9.5