USN-5676-1: PostgreSQL vulnerability
13 October 2022
PostgreSQL could be made to execute commands as the superuser.
Releases
Packages
- postgresql-9.5 - Object-relational SQL database
Details
Alexander Lakhin discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox when a privileged user is maintaining
another user’s objects. An attacker having permission to create non-temp
objects can use this issue to execute arbitrary commands as the superuser.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
postgresql-9.5
-
9.5.25-0ubuntu0.16.04.1+esm2
Available with Ubuntu Pro
After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
Related notices
- USN-5440-1: postgresql-10, postgresql-doc-12, postgresql-pltcl-10, postgresql-13, postgresql-doc-13, postgresql-plpython3-10, libecpg-compat3, postgresql-plperl-14, postgresql-plpython3-13, postgresql-doc-10, postgresql-client-13, postgresql-14, postgresql-plperl-13, postgresql-plpython3-12, postgresql-12, postgresql-plpython-10, postgresql-doc-14, libecpg-dev, postgresql-client-10, postgresql-client-12, postgresql-plperl-10, postgresql-plpython3-14, postgresql-pltcl-12, postgresql-plperl-12, postgresql-server-dev-14, postgresql-server-dev-10, postgresql-server-dev-13, postgresql-client-14, libpq5, libpgtypes3, libpq-dev, postgresql-pltcl-13, libecpg6, postgresql-server-dev-12, postgresql-pltcl-14