USN-6296-1: PostgreSQL vulnerabilities
17 August 2023
Several security issues were fixed in PostgreSQL.
- postgresql-12 - Object-relational SQL database
- postgresql-14 - Object-relational SQL database
- postgresql-15 - Object-relational SQL database
It was discovered that PostgreSQL incorrectly handled certain extension
script substitutions. An attacker having database-level CREATE privileges
can use this issue to execute arbitrary code as the bootstrap superuser.
It was discovered that PostgreSQL incorrectly handled the MERGE command. A
remote attacker could possibly use this issue to bypass certain UPDATE and
SELECT policies. This issue only affected Ubuntu 23.04. (CVE-2023-39418)
The problem can be corrected by updating your system to the following package versions:
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
- USN-6366-1: libecpg-compat3, postgresql-server-dev-9.5, postgresql-pltcl-9.5, libecpg6, postgresql-client-9.5, postgresql-doc-9.5, postgresql-plpython-9.5, postgresql-9.5, libecpg-dev, libpq-dev, postgresql-contrib-9.5, postgresql-plpython3-9.5, postgresql-plperl-9.5, libpgtypes3, libpq5