git: 410606183438 - main - databases/postgresql??-server: multiple security issues
Palle Girgensohn
girgen at FreeBSD.org
Sat May 15 09:12:52 UTC 2021
The branch main has been updated by girgen:
URL: https://cgit.FreeBSD.org/ports/commit/?id=41060618343864d958bac8d10ff4dd39b398b3a3
commit 41060618343864d958bac8d10ff4dd39b398b3a3
Author: Palle Girgensohn <girgen at FreeBSD.org>
AuthorDate: 2021-05-14 16:03:55 +0000
Commit: Palle Girgensohn <girgen at FreeBSD.org>
CommitDate: 2021-05-15 09:12:15 +0000
databases/postgresql??-server: multiple security issues
---
security/vuxml/vuln.xml | 103 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 103 insertions(+)
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 050523d6bd6a..477ceae1e6d2 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -76,6 +76,109 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="62da9702-b4cc-11eb-b9c9-6cc21735f730">
+ <topic>PostgreSQL server -- two security issues</topic>
+ <affects>
+ <package>
+ <name>postgresql13-server</name>
+ <range><lt>13.3</lt></range>
+ </package>
+ <package>
+ <name>postgresql12-server</name>
+ <range><lt>12.7</lt></range>
+ </package>
+ <package>
+ <name>postgresql11-server</name>
+ <range><lt>11.12</lt></range>
+ </package>
+ <package>
+ <name>postgresql10-server</name>
+ <range><lt>10.17</lt></range>
+ </package>
+ <package>
+ <name>postgresql96-server</name>
+ <range><lt>9.6.22</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PostgreSQL project reports:</p>
+ <blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32028/">
+ <p>Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE</p>
+ <p>
+ Using an INSERT ... ON CONFLICT ... DO UPDATE command on a
+ purpose-crafted table, an attacker can read arbitrary bytes of
+ server memory. In the default configuration, any authenticated
+ database user can create prerequisite objects and complete this
+ attack at will. A user lacking the CREATE and TEMPORARY privileges
+ on all databases and the CREATE privilege on all schemas cannot use
+ this attack at will..
+ </p>
+ </blockquote>
+ <blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32027/">
+ <p>
+ Buffer overrun from integer overflow in array subscripting
+ calculations
+ </p>
+ <p>
+ While modifying certain SQL array values, missing bounds checks let
+ authenticated database users write arbitrary bytes to a wide area of
+ server memory.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.postgresql.org/support/security/CVE-2021-32027/</url>
+ <url>https://www.postgresql.org/support/security/CVE-2021-32028/</url>
+ </references>
+ <dates>
+ <discovery>2021-05-13</discovery>
+ <entry>2021-05-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="76e0bb86-b4cb-11eb-b9c9-6cc21735f730">
+ <topic>PostgreSQL -- Memory disclosure in partitioned-table UPDATE ... RETURNING</topic>
+ <affects>
+ <package>
+ <name>postgresql13-server</name>
+ <range><lt>13.3</lt></range>
+ </package>
+ <package>
+ <name>postgresql12-server</name>
+ <range><lt>12.7</lt></range>
+ </package>
+ <package>
+ <name>postgresql11-server</name>
+ <range><lt>11.12</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PostgreSQL project reports:</p>
+ <blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32029/">
+ <p>
+ Using an UPDATE ... RETURNING on a purpose-crafted partitioned
+ table, an attacker can read arbitrary bytes of server memory. In the
+ default configuration, any authenticated database user can create
+ prerequisite objects and complete this attack at will. A user
+ lacking the CREATE and TEMPORARY privileges on all databases and the
+ CREATE privilege on all schemas typically cannot use this attack at
+ will.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.postgresql.org/support/security/CVE-2021-32029/</url>
+ </references>
+ <dates>
+ <discovery>2021-05-13</discovery>
+ <entry>2021-05-14</entry>
+ </dates>
+ </vuln>
+
<vuln vid="fc75570a-b417-11eb-a23d-c7ab331fd711">
<topic>Prosody -- multiple vulnerabilities</topic>
<affects>
More information about the dev-commits-ports-all
mailing list