========================================================================== CVE-2021-3393: Partition constraint violation errors leak values of denied columns ========================================================================== Versions Affected: 11 - 13. A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions to exploit are more rare. The PostgreSQL project thanks Heikki Linnakangas for reporting this problem. ========================================================================== CVE-2021-20229: Single-column SELECT privilege enables reading all columns ========================================================================== Versions Affected: 13. A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table. Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In installations that depend on column-level permissions for security, it is recommended to execute CREATE OR REPLACE on all user-defined views to force them to be re-parsed. The PostgreSQL project thanks Sven Klemm for reporting this problem.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5fd6830195d614ec11bbf6465f170d0086ae4ea commit b5fd6830195d614ec11bbf6465f170d0086ae4ea Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2021-02-21 14:15:27 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2021-02-21 14:15:27 +0000 dev-db/postgresql: Security Bump Bump to 13.2, 12.6, 11.11, 10.16, 9.6.21, and 9.5.25. Addresses vulnerabilities: CVE-2021-3393 and CVE-2021-20229. Includes ICU68 fix, and extra workaround patch for 10.16 (thanks Marco Sirabella). Bug: https://bugs.gentoo.org/771942 Bug: https://bugs.gentoo.org/766225 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 6 + .../postgresql/files/postgresql-10.0-icu68-2.patch | 11 + dev-db/postgresql/postgresql-10.16.ebuild | 461 ++++++++++++++++++++ dev-db/postgresql/postgresql-11.11.ebuild | 458 ++++++++++++++++++++ dev-db/postgresql/postgresql-12.6.ebuild | 458 ++++++++++++++++++++ dev-db/postgresql/postgresql-13.2.ebuild | 462 ++++++++++++++++++++ dev-db/postgresql/postgresql-9.5.25.ebuild | 476 ++++++++++++++++++++ dev-db/postgresql/postgresql-9.6.21.ebuild | 481 +++++++++++++++++++++ 8 files changed, 2813 insertions(+)
Please stabilize the following targets: =dev-db/postgresql-10.16 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-11.11 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-12.6 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-13.2 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.5.25 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.6.21 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86
sparc stable
*** Bug 772320 has been marked as a duplicate of this bug. ***
ppc done
ppc64 done
amd64 done
arm done
x86 done
arm64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0cb57f5044dc87248afd6f5f40794d16bd5c649c commit 0cb57f5044dc87248afd6f5f40794d16bd5c649c Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2021-02-25 14:24:59 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2021-02-25 14:24:59 +0000 dev-db/postgresql: Cleanup Bug: https://bugs.gentoo.org/771942 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 6 - dev-db/postgresql/postgresql-10.15.ebuild | 459 --------------------------- dev-db/postgresql/postgresql-11.10.ebuild | 461 --------------------------- dev-db/postgresql/postgresql-12.5.ebuild | 461 --------------------------- dev-db/postgresql/postgresql-13.1.ebuild | 465 ---------------------------- dev-db/postgresql/postgresql-9.5.24.ebuild | 476 ---------------------------- dev-db/postgresql/postgresql-9.6.20.ebuild | 481 ----------------------------- 7 files changed, 2809 deletions(-)
Thank you!
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-32 at https://security.gentoo.org/glsa/202105-32 by GLSA coordinator Thomas Deutschmann (whissi).
