Debian Security Advisory
DSA-5553-1 postgresql-15 -- security update
- Date Reported:
- 13 Nov 2023
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870, CVE-2023-39417, CVE-2023-39418.
- More information:
Several vulnerabilities have been discovered in the PostgreSQL database system.
Jingzhou Fu discovered a memory disclosure flaw in aggregate function calls.
Pedro Gallegos reported integer overflow flaws resulting in buffer overflows in the array modification functions.
Hemanth Sandrana and Mahendrakar Srinivasarao reported that the pg_cancel_backend role can signal certain superuser processes, potentially resulting in denial of service.
Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg reported that an extension script using @substitutions@ within quoting may allow to perform an SQL injection for an attacker having database-level CREATE privileges.
Dean Rasheed reported that the MERGE command fails to enforce UPDATE or SELECT row security policies.
For the stable distribution (bookworm), these problems have been fixed in version 15.5-0+deb12u1.
We recommend that you upgrade your postgresql-15 packages.
For the detailed security status of postgresql-15 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-15