ASA-202106-15 log original external raw

[ASA-202106-15] postgresql: multiple issues
Arch Linux Security Advisory ASA-202106-15 ========================================== Severity: Medium Date : 2021-06-01 CVE-ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029 Package : postgresql Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1956 Summary ======= The package postgresql before version 13.3-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 13.3-1. # pacman -Syu "postgresql>=13.3-1" The problems have been fixed upstream in version 13.3. Workaround ========== None. Description =========== - CVE-2021-32027 (arbitrary code execution) A security issue was found in PostgreSQL before version 13.3. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. - CVE-2021-32028 (information disclosure) A security issue was found in PostgreSQL before version 13.3. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot use this attack at will. - CVE-2021-32029 (information disclosure) A security issue was found in PostgreSQL before version 13.3. Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas typically cannot use this attack at will. Impact ====== An authenticated remote attacker could read the database server memory or execute arbitrary code on the server. References ========== https://www.postgresql.org/support/security/CVE-2021-32027/ https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=467395bfdf33f1ccf67ca388ffdcc927271544cb https://www.postgresql.org/support/security/CVE-2021-32028/ https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=4a8656a7ee0c155b0249376af58eb3fc3a90415f https://www.postgresql.org/support/security/CVE-2021-32029/ https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a71cfc56bf6013e3ea1d673acaf73fe7ebbd6bf3 https://security.archlinux.org/CVE-2021-32027 https://security.archlinux.org/CVE-2021-32028 https://security.archlinux.org/CVE-2021-32029

[ASA-202106-15] postgresql: multiple issues

Arch Linux Security Advisory ASA-202106-15 ========================================== Severity: Medium Date : 2021-06-01 CVE-ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029 Package : postgresql Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1956 Summary ======= The package postgresql before version 13.3-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 13.3-1. # pacman -Syu "postgresql>=13.3-1" The problems have been fixed upstream in version 13.3. Workaround ========== None. Description =========== - CVE-2021-32027 (arbitrary code execution) A security issue was found in PostgreSQL before version 13.3. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. - CVE-2021-32028 (information disclosure) A security issue was found in PostgreSQL before version 13.3. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot use this attack at will. - CVE-2021-32029 (information disclosure) A security issue was found in PostgreSQL before version 13.3. Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas typically cannot use this attack at will. Impact ====== An authenticated remote attacker could read the database server memory or execute arbitrary code on the server. References ========== https://www.postgresql.org/support/security/CVE-2021-32027/ https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=467395bfdf33f1ccf67ca388ffdcc927271544cb https://www.postgresql.org/support/security/CVE-2021-32028/ https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=4a8656a7ee0c155b0249376af58eb3fc3a90415f https://www.postgresql.org/support/security/CVE-2021-32029/ https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a71cfc56bf6013e3ea1d673acaf73fe7ebbd6bf3 https://security.archlinux.org/CVE-2021-32027 https://security.archlinux.org/CVE-2021-32028 https://security.archlinux.org/CVE-2021-32029