Opened 16 months ago
Closed 16 months ago
#18841 closed enhancement (fixed)
postgresql-16.1
Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | high | Milestone: | 12.1 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description ¶
New minor version.
Change History (3)
comment:1 by , 16 months ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 16 months ago
Priority: | normal → high |
---|
comment:3 by , 16 months ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Fixed at 1eb083a4bacf53b10c164263132463eb4f56051f
SA-12.0-041 issued
Note:
See TracTickets
for help on using tickets.
Bug Fixes and Improvements
This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.
Security Fixes
CVE-2023-5868: Memory disclosure in aggregate function calls
CVSS v3 Base Score: 4.3
Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.
Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.
CVE-2023-5869: Buffer overrun from integer overflow in array modification
CVSS v3 Base Score: 8.8
Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.
While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.
CVE-2023-5870: Role pg_cancel_backend can signal certain superuser processes
CVSS v3 Base Score: 2.2
Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.
Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.