Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 772320 - <dev-db/postgresql-{9.5.25,9.6.21,10.16,11.11,12.6,13.2}: insufficient access control (CVE-2021-20229)
Summary: <dev-db/postgresql-{9.5.25,9.6.21,10.16,11.11,12.6,13.2}: insufficient access...
Status: RESOLVED DUPLICATE of bug 771942
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-24 04:07 UTC by John Helmert III
Modified: 2021-02-24 13:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-24 04:07:47 UTC
CVE-2021-20229:

A flaw was found in PostgreSQL in versions before 13.2, before 12.6, before 11.11, before 10.16, before 9.6.21 and before 9.5.25. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.


The only reference on the CVE is the Redhat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1925296

Please stabilize the fixed versions.
Comment 1 Aaron W. Swenson gentoo-dev 2021-02-24 10:50:38 UTC
This summary is incorrect. Only version starting with 13 before 13.2 are affected. Versions 12.x, 11.x, 10.x, 9.6x, and 9.5.x are unaffected.

This is covered in the official news release by PostgreSQL: https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/

*** This bug has been marked as a duplicate of bug 771942 ***
Comment 2 John Helmert III gentoo-dev Security 2021-02-24 13:17:37 UTC
(In reply to Aaron W. Swenson from comment #1)
> This summary is incorrect. Only version starting with 13 before 13.2 are
> affected. Versions 12.x, 11.x, 10.x, 9.6x, and 9.5.x are unaffected.
> 
> This is covered in the official news release by PostgreSQL:
> https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-
> 9525-released-2165/
> 
> *** This bug has been marked as a duplicate of bug 771942 ***

Thanks. I'll tell MITRE. Sorry for missing the other bug.