[SECURITY] [DLA 3764-1] postgresql-11 security update

2024-03-1815:47:29

lists.debian.org

cve-2024-0985

debian security tracker

lts

sql commands

debian 10 buster

postgresql

security update

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.5%

JSON

Debian LTS Advisory DLA-3764-1 [email protected]
https://www.debian.org/lts/security/ Adrian Bunk
March 18, 2024 https://wiki.debian.org/LTS

Package : postgresql-11
Version : 11.22-0+deb10u2
CVE ID : CVE-2024-0985

In the PostgreSQL database server, a late privilege drop in the
REFRESH MATERIALIZED VIEW CONCURRENTLY command could allow an
attacker to trick a user with higher privileges to run SQL commands.

For Debian 10 buster, this problem has been fixed in version
11.22-0+deb10u2.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian11mips64ellibecpg-dev-dbgsym< 13.14-0+deb11u1libecpg-dev-dbgsym_13.14-0+deb11u1_mips64el.deb
Debian12ppc64ellibecpg6< 15.6-0+deb12u1libecpg6_15.6-0+deb12u1_ppc64el.deb
Debian12arm64postgresql-pltcl-15-dbgsym< 15.6-0+deb12u1postgresql-pltcl-15-dbgsym_15.6-0+deb12u1_arm64.deb
Debian10armhfpostgresql-plpython3-11< 11.22-0+deb10u2postgresql-plpython3-11_11.22-0+deb10u2_armhf.deb
Debian11amd64libpq5-dbgsym< 13.14-0+deb11u1libpq5-dbgsym_13.14-0+deb11u1_amd64.deb
Debian11arm64libpgtypes3-dbgsym< 13.14-0+deb11u1libpgtypes3-dbgsym_13.14-0+deb11u1_arm64.deb
Debian12arm64libpq5-dbgsym< 15.6-0+deb12u1libpq5-dbgsym_15.6-0+deb12u1_arm64.deb
Debian10arm64postgresql-plpython-11< 11.22-0+deb10u2postgresql-plpython-11_11.22-0+deb10u2_arm64.deb
Debian12arm64libecpg-compat3-dbgsym< 15.6-0+deb12u1libecpg-compat3-dbgsym_15.6-0+deb12u1_arm64.deb
Debian10armhfpostgresql-11< 11.22-0+deb10u2postgresql-11_11.22-0+deb10u2_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	mips64el	libecpg-dev-dbgsym	< 13.14-0+deb11u1	libecpg-dev-dbgsym_13.14-0+deb11u1_mips64el.deb
Debian	12	ppc64el	libecpg6	< 15.6-0+deb12u1	libecpg6_15.6-0+deb12u1_ppc64el.deb
Debian	12	arm64	postgresql-pltcl-15-dbgsym	< 15.6-0+deb12u1	postgresql-pltcl-15-dbgsym_15.6-0+deb12u1_arm64.deb
Debian	10	armhf	postgresql-plpython3-11	< 11.22-0+deb10u2	postgresql-plpython3-11_11.22-0+deb10u2_armhf.deb
Debian	11	amd64	libpq5-dbgsym	< 13.14-0+deb11u1	libpq5-dbgsym_13.14-0+deb11u1_amd64.deb
Debian	11	arm64	libpgtypes3-dbgsym	< 13.14-0+deb11u1	libpgtypes3-dbgsym_13.14-0+deb11u1_arm64.deb
Debian	12	arm64	libpq5-dbgsym	< 15.6-0+deb12u1	libpq5-dbgsym_15.6-0+deb12u1_arm64.deb
Debian	10	arm64	postgresql-plpython-11	< 11.22-0+deb10u2	postgresql-plpython-11_11.22-0+deb10u2_arm64.deb
Debian	12	arm64	libecpg-compat3-dbgsym	< 15.6-0+deb12u1	libecpg-compat3-dbgsym_15.6-0+deb12u1_arm64.deb
Debian	10	armhf	postgresql-11	< 11.22-0+deb10u2	postgresql-11_11.22-0+deb10u2_armhf.deb