Date: Sat, 15 May 2021 09:12:52 GMT From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 410606183438 - main - databases/postgresql??-server: multiple security issues Message-ID: <202105150912.14F9Cq1d059026@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by girgen: URL: https://cgit.FreeBSD.org/ports/commit/?id=41060618343864d958bac8d10ff4dd39b398b3a3 commit 41060618343864d958bac8d10ff4dd39b398b3a3 Author: Palle Girgensohn <girgen@FreeBSD.org> AuthorDate: 2021-05-14 16:03:55 +0000 Commit: Palle Girgensohn <girgen@FreeBSD.org> CommitDate: 2021-05-15 09:12:15 +0000 databases/postgresql??-server: multiple security issues --- security/vuxml/vuln.xml | 103 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 050523d6bd6a..477ceae1e6d2 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,109 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="62da9702-b4cc-11eb-b9c9-6cc21735f730"> + <topic>PostgreSQL server -- two security issues</topic> + <affects> + <package> + <name>postgresql13-server</name> + <range><lt>13.3</lt></range> + </package> + <package> + <name>postgresql12-server</name> + <range><lt>12.7</lt></range> + </package> + <package> + <name>postgresql11-server</name> + <range><lt>11.12</lt></range> + </package> + <package> + <name>postgresql10-server</name> + <range><lt>10.17</lt></range> + </package> + <package> + <name>postgresql96-server</name> + <range><lt>9.6.22</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The PostgreSQL project reports:</p> + <blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32028/">; + <p>Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE</p> + <p> + Using an INSERT ... ON CONFLICT ... DO UPDATE command on a + purpose-crafted table, an attacker can read arbitrary bytes of + server memory. In the default configuration, any authenticated + database user can create prerequisite objects and complete this + attack at will. A user lacking the CREATE and TEMPORARY privileges + on all databases and the CREATE privilege on all schemas cannot use + this attack at will.. + </p> + </blockquote> + <blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32027/">; + <p> + Buffer overrun from integer overflow in array subscripting + calculations + </p> + <p> + While modifying certain SQL array values, missing bounds checks let + authenticated database users write arbitrary bytes to a wide area of + server memory. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://www.postgresql.org/support/security/CVE-2021-32027/</url>; + <url>https://www.postgresql.org/support/security/CVE-2021-32028/</url>; + </references> + <dates> + <discovery>2021-05-13</discovery> + <entry>2021-05-14</entry> + </dates> + </vuln> + + <vuln vid="76e0bb86-b4cb-11eb-b9c9-6cc21735f730"> + <topic>PostgreSQL -- Memory disclosure in partitioned-table UPDATE ... RETURNING</topic> + <affects> + <package> + <name>postgresql13-server</name> + <range><lt>13.3</lt></range> + </package> + <package> + <name>postgresql12-server</name> + <range><lt>12.7</lt></range> + </package> + <package> + <name>postgresql11-server</name> + <range><lt>11.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The PostgreSQL project reports:</p> + <blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32029/">; + <p> + Using an UPDATE ... RETURNING on a purpose-crafted partitioned + table, an attacker can read arbitrary bytes of server memory. In the + default configuration, any authenticated database user can create + prerequisite objects and complete this attack at will. A user + lacking the CREATE and TEMPORARY privileges on all databases and the + CREATE privilege on all schemas typically cannot use this attack at + will. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://www.postgresql.org/support/security/CVE-2021-32029/</url>; + </references> + <dates> + <discovery>2021-05-13</discovery> + <entry>2021-05-14</entry> + </dates> + </vuln> + <vuln vid="fc75570a-b417-11eb-a23d-c7ab331fd711"> <topic>Prosody -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105150912.14F9Cq1d059026>