[DSA 5851-1] openjpeg2 security update
ELA-1304-1 postgresql-9.4 security update
ELA-1303-1 postgresql-9.6 security update
ELA-1302-1 postgresql-11 security update
[SECURITY] [DSA 5851-1] openjpeg2 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5851-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openjpeg2
CVE ID : CVE-2024-56826 CVE-2024-56827
Multiple vulnerabilities have been discovered in openjpeg2, the
open-source JPEG 2000 codec, which could result in denial of service or
the execution of arbitrary code if malformed images are opened.
For the stable distribution (bookworm), these problems have been fixed in
version 2.5.0-2+deb12u1.
We recommend that you upgrade your openjpeg2 packages.
For the detailed security status of openjpeg2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjpeg2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1304-1 postgresql-9.4 security update
Package : postgresql-9.4
Version : 9.4.26-0+deb8u11 (jessie)
Related CVEs :
CVE-2023-5870
CVE-2024-10977
CVE-2024-10978
CVE-2024-10979
Multiple security issues were discovered in PostgreSQL, which may result in
the execution of arbitrary code, privilege escalation, log manipulation, or
denial of service.
CVE-2023-5870
A flaw was found in PostgreSQL involving the pg_cancel_backend role that
signals background workers, including the logical replication launcher,
autovacuum workers, and the autovacuum launcher. Successful exploitation
requires a non-core extension with a less-resilient background worker
and would affect that specific background worker only.
CVE-2024-10977
Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.
CVE-2024-10978
Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.
CVE-2024-10979
Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).ELA-1304-1 postgresql-9.4 security update
ELA-1303-1 postgresql-9.6 security update
Package : postgresql-9.6
Version : 9.6.24-0+deb9u8 (stretch)
Related CVEs :
CVE-2024-10976
CVE-2024-10977
CVE-2024-10978
CVE-2024-10979
Multiple security issues were discovered in PostgreSQL, which may result in
the execution of arbitrary code, privilege escalation, or log manipulation.
CVE-2024-10976
Incomplete tracking in PostgreSQL of tables with row security allows a
reused query to view or change different rows from those intended. It
leads to potentially incorrect policies being applied in cases where
role-specific policies are used and a given query is planned under one
role and then executed under other roles.
CVE-2024-10977
Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.
CVE-2024-10978
Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.
CVE-2024-10979
Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).ELA-1303-1 postgresql-9.6 security update
ELA-1302-1 postgresql-11 security update
Package : postgresql-11
Version : 11.22-0+deb10u4 (buster)
Related CVEs :
CVE-2024-10976
CVE-2024-10977
CVE-2024-10978
CVE-2024-10979
Multiple security issues were discovered in PostgreSQL, which may result in
the execution of arbitrary code, privilege escalation, or log manipulation.
CVE-2024-10976
Incomplete tracking in PostgreSQL of tables with row security allows a
reused query to view or change different rows from those intended. It
leads to potentially incorrect policies being applied in cases where
role-specific policies are used and a given query is planned under one
role and then executed under other roles.
CVE-2024-10977
Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.
CVE-2024-10978
Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.
CVE-2024-10979
Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).ELA-1302-1 postgresql-11 security update
