Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
- postgresql-9.5: Object-relational SQL database
Details:
Noah Misch discovered that PostgreSQL incorrectly handled the search_path
setting when used with logical replication. A remote attacker could
possibly use this issue to execute arbitrary SQL code. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14349)
Andres Freund discovered that PostgreSQL incorrectly handled search path
elements in CREATE EXTENSION. A remote attacker could possibly use this
issue to execute arbitrary SQL code. (CVE-2020-14350)
The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: postgresql-12 12.4-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: postgresql-10 10.14-0ubuntu0.18.04.1 Ubuntu 16.04 LTS: postgresql-9.5 9.5.23-0ubuntu0.16.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes.
https://ubuntu.com/security/notices/USN-4472-1
CVE-2020-14349, CVE-2020-14350
Get the latest Linux and open source security news straight to your inbox.