[USN-4633-1] PostgreSQL vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Tue Nov 17 14:38:44 UTC 2020

Ubuntu Security Notice USN-4633-1
November 17, 2020

postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS


Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
- postgresql-9.5: Object-relational SQL database


Peter Eisentraut discovered that PostgreSQL incorrectly handled connection
security settings. Client applications could possibly be connecting with
certain security parameters dropped, contrary to expectations.

Etienne Stalmans discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox. An authenticated remote attacker
could possibly use this issue to execute arbitrary SQL functions as a
superuser. (CVE-2020-25695)

Nick Cleaton discovered that PostgreSQL incorrectly handled the \gset
meta-command. A remote attacker with a compromised server could possibly
use this issue to execute arbitrary code. (CVE-2020-25696)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.10:
  postgresql-12                   12.5-0ubuntu0.20.10.1

Ubuntu 20.04 LTS:
  postgresql-12                   12.5-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
  postgresql-10                   10.15-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
  postgresql-9.5                  9.5.24-0ubuntu0.16.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

  CVE-2020-25694, CVE-2020-25695, CVE-2020-25696

Package Information:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20201117/d440b452/attachment.sig>

More information about the ubuntu-security-announce mailing list