StarlingX

[Debian] High CVE: CVE-2023-5868/CVE-2023-5869/CVE-2023-5870/CVE-2023-39417 postgresql-13 : multiple CVEs

Bug #2043435 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2023-5868: https://nvd.nist.gov/vuln/detail/CVE-2023-5868

None

CVE-2023-5869: https://nvd.nist.gov/vuln/detail/CVE-2023-5869

None

CVE-2023-5870: https://nvd.nist.gov/vuln/detail/CVE-2023-5870

None

CVE-2023-39417: https://nvd.nist.gov/vuln/detail/CVE-2023-39417

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Base Score: High

Reference:

['libpq5_13.11-0+deb11u1_amd64.deb===>libpq5_13.13-0+deb11u1_amd64.deb', 'libpq-dev_13.11-0+deb11u1_amd64.deb===>libpq-dev_13.13-0+deb11u1_amd64.deb', 'postgresql-13_13.11-0+deb11u1_amd64.deb===>postgresql-13_13.13-0+deb11u1_amd64.deb', 'postgresql-client-13_13.11-0+deb11u1_amd64.deb===>postgresql-client-13_13.13-0+deb11u1_amd64.deb']
https://www.debian.org/security/2023/dsa-5554

Peng Zhang (pzhang2)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/901007

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/901007
Committed: https://opendev.org/starlingx/tools/commit/0b899d4bc497804603077fbe0cec67f27cffbefb
Submitter: "Zuul (22348)"
Branch: master

commit 0b899d4bc497804603077fbe0cec67f27cffbefb
Author: Peng Zhang <email address hidden>
Date: Mon Nov 13 05:23:17 2023 +0000

    Debian: postgresql: fix multiple CVEs

    Upgrade libpq5, libpq-dev, postgresql-13, postgresql-client-13
    package version from 13.11-0+deb11u1 to 13.13-0+deb11u1 fix
    CVE: CVE-2023-5868/CVE-2023-5869/CVE-2023-5870/CVE-2023-39417.

    Refer to:
    CVE-2023-5868: https://nvd.nist.gov/vuln/detail/CVE-2023-5868
    CVE-2023-5869: https://nvd.nist.gov/vuln/detail/CVE-2023-5869
    CVE-2023-5870: https://nvd.nist.gov/vuln/detail/CVE-2023-5870
    CVE-2023-39417: https://nvd.nist.gov/vuln/detail/CVE-2023-39417

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2043435

    Change-Id: I699aebc4ca8144dba67d531a195968460b80a29e
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.