git: 4a835475da61 - main - security/vuxml: postgresql??-server vuln CVE-2022-1552
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 12 May 2022 13:42:33 UTC
The branch main has been updated by girgen:
URL: https://cgit.FreeBSD.org/ports/commit/?id=4a835475da61e30632ee58f316429d7352d271a5
commit 4a835475da61e30632ee58f316429d7352d271a5
Author: Palle Girgensohn <girgen@FreeBSD.org>
AuthorDate: 2022-05-11 16:29:46 +0000
Commit: Palle Girgensohn <girgen@FreeBSD.org>
CommitDate: 2022-05-12 13:40:16 +0000
security/vuxml: postgresql??-server vuln CVE-2022-1552
---
security/vuxml/vuln-2022.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 801f0e373acb..0ac5ff7bcd8b 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,57 @@
+ <vuln vid="157ce083-d145-11ec-ab9b-6cc21735f730">
+ <topic>PostgreSQL Server -- execute arbitrary SQL code as DBA user</topic>
+ <affects>
+ <package>
+ <name>postgresql14-server</name>
+ <range><lt>14.3</lt></range>
+ </package>
+ <package>
+ <name>postgresql13-server</name>
+ <range><lt>13.7</lt></range>
+ </package>
+ <package>
+ <name>postgresql12-server</name>
+ <range><lt>12.11</lt></range>
+ </package>
+ <package>
+ <name>postgresql11-server</name>
+ <range><lt>11.16</lt></range>
+ </package>
+ <package>
+ <name>postgresql10-server</name>
+ <range><lt>10.21</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PostgreSQL project reports:</p>
+ <blockquote>
+ <p>
+ Confine additional operations within "security restricted
+ operation" sandboxes.
+ </p>
+ <p>
+ Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW,
+ and pg_amcheck activated the "security restricted operation" protection
+ mechanism too late, or even not at all in some code paths.
+ A user having permission to create non-temporary objects within a
+ database could define an object that would execute arbitrary SQL
+ code with superuser permissions the next time that autovacuum
+ processed the object, or that some superuser ran one of the affected
+ commands against it.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2022-1552</cvename>
+ </references>
+ <dates>
+ <discovery>2022-05-11</discovery>
+ <entry>2022-05-11</entry>
+ </dates>
+ </vuln>
+
<vuln vid="ac91cf5e-d098-11ec-bead-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>