Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Ubuntu 21.04 USN-4972-1 Moderate: PostgreSQL Memory Exploits

ubuntu
Calendar Grey June 1, 2021
Dist Ubuntu Esm H88
A number of vulnerabilities addressed in PostgreSQL impacting Ubuntu systems. Ensure packages are updated to reduce risk of security breaches.
Several security issues were fixed in PostgreSQL.

Summary

Several security issues were fixed in PostgreSQL.

Software Description:

- postgresql-13: Object-relational SQL database

- postgresql-12: Object-relational SQL database

- postgresql-10: Object-relational SQL database

Details:

Tom Lane discovered that PostgreSQL incorrect handled certain array

subscripting calculations. An authenticated attacker could possibly use

this issue to overwrite server memory and escalate privileges.

(CVE-2021-32027)

Andres Freund discovered that PostgreSQL incorrect handled certain

INSERT ... ON CONFLICT ... DO UPDATE commands. A remote attacker could

possibly use this issue to read server memory and obtain sensitive

information. (CVE-2021-32028)

Tom Lane discovered that PostgreSQL incorrect handled certain UPDATE ...

RETURNING commands. A remote attacker could possibly use this issue to read

server memory and obtain sensitive information. This issue only affected

Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32029)

...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.04:
  postgresql-13                   13.3-0ubuntu0.21.04.1

Ubuntu 20.10:
  postgresql-12                   12.7-0ubuntu0.20.10.1

Ubuntu 20.04 LTS:
  postgresql-12                   12.7-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
  postgresql-10                   10.17-0ubuntu0.18.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4972-1

CVE-2021-32027, CVE-2021-32028, CVE-2021-32029

June 01, 2021

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here