Debian 10262 Published by

A postgresql-9.4 security update has been released for Debian GNU/Linux 8 Extended LTS to address several vulnerabilities.



ELA-482-1 postgresql-9.4 security update

Package postgresql-9.4
Version 9.4.26-0+deb8u4
Related CVEs CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 CVE-2021-32027

Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions.

CVE-2020-25694

If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist.

CVE-2020-25695

An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser.

CVE-2020-25696

If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql.

CVE-2021-32027

While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.

For Debian 8 jessie, these problems have been fixed in version 9.4.26-0+deb8u4.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-482-1 postgresql-9.4 security update