USN-6802-1
See a problem?- Source
- https://ubuntu.com/security/notices/USN-6802-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6802-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-6802-1
- Related
- Published
- 2024-05-30T11:59:25.825629Z
- Modified
- 2024-05-30T11:59:25.825629Z
- Summary
- postgresql-14, postgresql-15, postgresql-16 vulnerability
- Details
-
Lukas Fittl discovered that PostgreSQL incorrectly performed authorization in the built-in pgstatsext and pgstatsext_exprs views. An unprivileged database user can use this issue to read most common values and other statistics from CREATE STATISTICS commands of other users.
NOTE: This update will only fix fresh PostgreSQL installations. Current PostgreSQL installations will remain vulnerable to this issue until manual steps are performed. Please see the instructions in the changelog located at /usr/share/doc/postgresql-*/changelog.Debian.gz after the updated packages have been installed, or in the PostgreSQL release notes located here:
https://www.postgresql.org/docs/16/release-16-3.html https://www.postgresql.org/docs/15/release-15-7.html https://www.postgresql.org/docs/14/release-14-12.html
- References
Affected packages
Ubuntu:22.04:LTS / postgresql-14
Package
- Name
- postgresql-14
- Purl
- pkg:deb/ubuntu/postgresql-14@14.12-0ubuntu0.22.04.1?arch=src?distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed14.12-0ubuntu0.22.04.1
Affected versions
14.*
14.1-1ubuntu1
14.2-1
14.2-1ubuntu1
14.3-0ubuntu0.22.04.1
14.4-0ubuntu0.22.04.1
14.5-0ubuntu0.22.04.1
14.6-0ubuntu0.22.04.1
14.7-0ubuntu0.22.04.1
14.8-0ubuntu0.22.04.1
14.9-0ubuntu0.22.04.1
14.10-0ubuntu0.22.04.1
14.11-0ubuntu0.22.04.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"postgresql-client-14": "14.12-0ubuntu0.22.04.1",
"libecpg-compat3-dbgsym": "14.12-0ubuntu0.22.04.1",
"libecpg6": "14.12-0ubuntu0.22.04.1",
"libecpg-compat3": "14.12-0ubuntu0.22.04.1",
"libecpg6-dbgsym": "14.12-0ubuntu0.22.04.1",
"postgresql-server-dev-14": "14.12-0ubuntu0.22.04.1",
"libecpg-dev": "14.12-0ubuntu0.22.04.1",
"postgresql-14-dbgsym": "14.12-0ubuntu0.22.04.1",
"libpq5": "14.12-0ubuntu0.22.04.1",
"libpq5-dbgsym": "14.12-0ubuntu0.22.04.1",
"postgresql-plperl-14": "14.12-0ubuntu0.22.04.1",
"postgresql-doc-14": "14.12-0ubuntu0.22.04.1",
"libpgtypes3": "14.12-0ubuntu0.22.04.1",
"libpq-dev": "14.12-0ubuntu0.22.04.1",
"libecpg-dev-dbgsym": "14.12-0ubuntu0.22.04.1",
"postgresql-pltcl-14-dbgsym": "14.12-0ubuntu0.22.04.1",
"libpgtypes3-dbgsym": "14.12-0ubuntu0.22.04.1",
"postgresql-client-14-dbgsym": "14.12-0ubuntu0.22.04.1",
"postgresql-plpython3-14-dbgsym": "14.12-0ubuntu0.22.04.1",
"postgresql-pltcl-14": "14.12-0ubuntu0.22.04.1",
"postgresql-14": "14.12-0ubuntu0.22.04.1",
"postgresql-plperl-14-dbgsym": "14.12-0ubuntu0.22.04.1",
"postgresql-plpython3-14": "14.12-0ubuntu0.22.04.1"
}
]
}
Ubuntu:23.10 / postgresql-15
Package
- Name
- postgresql-15
- Purl
- pkg:deb/ubuntu/postgresql-15@15.7-0ubuntu0.23.10.1?arch=src?distro=mantic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed15.7-0ubuntu0.23.10.1
Affected versions
15.*
15.2-1
15.2-2
15.3-1
15.4-1ubuntu1
15.5-0ubuntu0.23.10.1
15.6-0ubuntu0.23.10.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"libecpg6-dbgsym": "15.7-0ubuntu0.23.10.1",
"libecpg-compat3-dbgsym": "15.7-0ubuntu0.23.10.1",
"libecpg6": "15.7-0ubuntu0.23.10.1",
"postgresql-plpython3-15-dbgsym": "15.7-0ubuntu0.23.10.1",
"postgresql-client-15-dbgsym": "15.7-0ubuntu0.23.10.1",
"libecpg-dev": "15.7-0ubuntu0.23.10.1",
"postgresql-doc-15": "15.7-0ubuntu0.23.10.1",
"libpq5": "15.7-0ubuntu0.23.10.1",
"postgresql-plperl-15-dbgsym": "15.7-0ubuntu0.23.10.1",
"libpq5-dbgsym": "15.7-0ubuntu0.23.10.1",
"postgresql-plperl-15": "15.7-0ubuntu0.23.10.1",
"libpgtypes3": "15.7-0ubuntu0.23.10.1",
"libpq-dev": "15.7-0ubuntu0.23.10.1",
"libecpg-dev-dbgsym": "15.7-0ubuntu0.23.10.1",
"postgresql-15-dbgsym": "15.7-0ubuntu0.23.10.1",
"postgresql-server-dev-15": "15.7-0ubuntu0.23.10.1",
"postgresql-pltcl-15": "15.7-0ubuntu0.23.10.1",
"postgresql-15": "15.7-0ubuntu0.23.10.1",
"postgresql-pltcl-15-dbgsym": "15.7-0ubuntu0.23.10.1",
"libpgtypes3-dbgsym": "15.7-0ubuntu0.23.10.1",
"libecpg-compat3": "15.7-0ubuntu0.23.10.1",
"postgresql-plpython3-15": "15.7-0ubuntu0.23.10.1",
"postgresql-client-15": "15.7-0ubuntu0.23.10.1"
}
]
}
Ubuntu:24.04:LTS / postgresql-16
Package
- Name
- postgresql-16
- Purl
- pkg:deb/ubuntu/postgresql-16@16.3-0ubuntu0.24.04.1?arch=src?distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed16.3-0ubuntu0.24.04.1
Affected versions
16.*
16.0-2
16.1-1
16.1-1build1
16.1-1build3
16.2-1
16.2-1ubuntu2
16.2-1ubuntu3
16.2-1ubuntu4
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"postgresql-client-16": "16.3-0ubuntu0.24.04.1",
"postgresql-pltcl-16": "16.3-0ubuntu0.24.04.1",
"libecpg6": "16.3-0ubuntu0.24.04.1",
"postgresql-plperl-16": "16.3-0ubuntu0.24.04.1",
"libecpg6-dbgsym": "16.3-0ubuntu0.24.04.1",
"postgresql-doc-16": "16.3-0ubuntu0.24.04.1",
"postgresql-16": "16.3-0ubuntu0.24.04.1",
"libecpg-dev": "16.3-0ubuntu0.24.04.1",
"postgresql-server-dev-16": "16.3-0ubuntu0.24.04.1",
"postgresql-plpython3-16-dbgsym": "16.3-0ubuntu0.24.04.1",
"libpq5": "16.3-0ubuntu0.24.04.1",
"postgresql-client-16-dbgsym": "16.3-0ubuntu0.24.04.1",
"libpq5-dbgsym": "16.3-0ubuntu0.24.04.1",
"libpgtypes3": "16.3-0ubuntu0.24.04.1",
"postgresql-16-dbgsym": "16.3-0ubuntu0.24.04.1",
"libecpg-dev-dbgsym": "16.3-0ubuntu0.24.04.1",
"postgresql-pltcl-16-dbgsym": "16.3-0ubuntu0.24.04.1",
"libpq-dev": "16.3-0ubuntu0.24.04.1",
"libpgtypes3-dbgsym": "16.3-0ubuntu0.24.04.1",
"libecpg-compat3": "16.3-0ubuntu0.24.04.1",
"postgresql-plperl-16-dbgsym": "16.3-0ubuntu0.24.04.1",
"libecpg-compat3-dbgsym": "16.3-0ubuntu0.24.04.1",
"postgresql-plpython3-16": "16.3-0ubuntu0.24.04.1"
}
]
}