Bug 772320

Summary:	<dev-db/postgresql-{9.5.25,9.6.21,10.16,11.11,12.6,13.2}: insufficient access control (CVE-2021-20229)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	minor	CC:	pgsql-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [stable?]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-02-24 04:07:47 UTC

CVE-2021-20229:

A flaw was found in PostgreSQL in versions before 13.2, before 12.6, before 11.11, before 10.16, before 9.6.21 and before 9.5.25. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.


The only reference on the CVE is the Redhat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1925296

Please stabilize the fixed versions.

Comment 1 Aaron W. Swenson gentoo-dev

2021-02-24 10:50:38 UTC

This summary is incorrect. Only version starting with 13 before 13.2 are affected. Versions 12.x, 11.x, 10.x, 9.6x, and 9.5.x are unaffected.

This is covered in the official news release by PostgreSQL: https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/

*** This bug has been marked as a duplicate of bug 771942 ***

Comment 2 John Helmert III archtester

2021-02-24 13:17:37 UTC

(In reply to Aaron W. Swenson from comment #1)
> This summary is incorrect. Only version starting with 13 before 13.2 are
> affected. Versions 12.x, 11.x, 10.x, 9.6x, and 9.5.x are unaffected.
> 
> This is covered in the official news release by PostgreSQL:
> https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-
> 9525-released-2165/
> 
> *** This bug has been marked as a duplicate of bug 771942 ***

Thanks. I'll tell MITRE. Sorry for missing the other bug.