#16538 closed enhancement (fixed)
postgresql-14.3
| Reported by: | Bruce Dubbs | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | high | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New minor version.
Change History (4)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 years ago
comment:3 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commits
d0ae40e689 Update to postgresql-14.3. 126cd18eb0 Update to NetworkManager-1.38.0.
comment:4 by , 3 years ago
| Priority: | normal → high |
|---|
Retroactively promote to High due to CVE-2022-1552:
--- Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552) ---
High rating due to an 8.8 CVSSv3 score per Red Hat at https://access.redhat.com/security/cve/cve-2022-1552
Release notes can be found at https://www.postgresql.org/docs/current/release-14-3.html#id-1.11.6.5.5