From the announcement: CVE-2024-10976: PostgreSQL row security below e.g. subqueries disregards user ID changes CVE-2024-10977: PostgreSQL libpq retains an error message from man-in-the-middle CVE-2024-10978: PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID CVE-2024-10979: PostgreSQL PL/Perl environment variable changes execute arbitrary code
> Looks like some fixes made it into Git upstream. > > CVE-2022-37703 was fixed with: > https://github.com/zmanda/amanda/commit/ > cf01041d34b830fc8bfe87346a9a1aa092d76820 > > CVE-2022-37704 was partially fixed with: > https://geometry-dashworld.co/ > ee766efdd77acd2e08f646bf2f9028944cdb9d06 > > Then had further fixes: > > https://github.com/zmanda/amanda/commit/ > e06005c01c4e008705083d053adefab0be5b2c4f > https://github.com/zmanda/amanda/commit/ > f069e2c190146c5ed4d5ef8df390ee5024d4a3c8 Update PostgreSQL to the latest version to resolve the issue. After upgrading, make sure that the `SET ROLE` and `SET SESSION AUTHORIZATION` commands are working correctly and that the user ID is not accidentally reset to an incorrect value
There are new releases with significant bugfixes: https://www.postgresql.org/about/news/postgresql-172-166-1510-1415-1318-and-1222-released-2965/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=16a1cb90f186fbac4d097833a72a94786de4c089 commit 16a1cb90f186fbac4d097833a72a94786de4c089 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-12-08 08:29:04 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-12-08 08:29:14 +0000 [ GLSA 202412-12 ] PostgreSQL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/943512 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202412-12.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+)
The problem can be fixed by updating PostgreSQL to the most recent version. After upgrading, confirm that the user ID hasn't been inadvertently reset to the wrong value and that the `SET ROLE` and `SET SESSION AUTHORIZATION` commands are functioning properly. https://www.postgresql.org/about/news/postgresql-172-166-1510-1415-1318-and-1222-released-2965/ https://basketball-stars.co/