[SECURITY] [DSA 5622-1] postgresql-13 security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5622-1] postgresql-13 security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 14 Feb 2024 19:59:04 +0000
Message-id: <Zc0biNpx9c/UjlLG@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5622-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 14, 2024                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-13
CVE ID         : CVE-2024-0985

It was discovered that a late privilege drop in the "REFRESH MATERIALIZED
VIEW CONCURRENTLY" command could allow an attacker to trick a user with
higher privileges to run SQL commands with these permissions.

For the oldstable distribution (bullseye), this problem has been fixed
in version 13.14-0+deb11u1.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXNGV8ACgkQEMKTtsN8
TjYPYBAAlJuqv8akj+o9j/7gYbpr2LNymLYvhDuHDtHjMMSoT5zBYxCMtKtgc84v
aEFLrm+1CAejvV+8kOTN8cbFF2CSacfFKDV2/9JJY/dxKZ50QL92QNPnZ6aq7KeM
/iX8Sqp58dey+/VyNy9S8Mv2fVRN8g7UprR+hBKNyqtMAW7np+C5LUgOLYJc4Iqc
DPHTTAcMKSYn5vCCQrF7QbCKEzT9KDena7xax6HPR+8F5EI0TIBXL97naslyoLKK
oHrZPDl7hDUxw+IBYfpcMHZWQCSpCP50OUDnZBcPVRCatbki6pDdM6lymXhDWxbh
uRlBAUmuPRozP8qrfh+m2EBb2aRDz2QJlmehrY8J+j0tM0dJi1dX34SSqLd3nFyZ
/24KZoNwkAXbb+OBZD1jsu1IMxWvZm3QhlGRUXnXF7AyJiKQDaOz2b1W9B19Fmm3
z6bQaEbgGf0MTtT/IpEwDMqGrnkl210KA/qVl1gFSbLETGjPh0rLY8ANuKNLGuDs
1yPEULUBm0G7ZO7JgjlfMvZLlbNotz0Jl5jKr0uGdT+q8H8NxDUT7UJlDiUNDXm0
D0LK1vzhr86fGRW9lG8a+OntOpnHPrWbFi5mVTIcuPmd6ekIvOCTeAg6dLliuLcf
fFlWOUD20Xxsz8M0Xkd4NEAod67bk4NWzbHA0XSVa6M0z2u1lok=
=Kp2y
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5621-1] bind9 security update
Next by Date: [SECURITY] [DSA 5623-1] postgresql-15 security update
Previous by thread: [SECURITY] [DSA 5621-1] bind9 security update
Next by thread: [SECURITY] [DSA 5623-1] postgresql-15 security update
Index(es):
- Date
- Thread