[USN-7741-1] PostgreSQL vulnerabilities

noreply+usn-bot at canonical.com noreply+usn-bot at canonical.com
Mon Sep 8 15:16:35 UTC 2025 

==========================================================================
Ubuntu Security Notice USN-7741-1
September 08, 2025

postgresql-14, postgresql-16, postgresql-17 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-17: Object-relational SQL database
- postgresql-16: Object-relational SQL database
- postgresql-14: Object-relational SQL database

Details:

Dean Rasheed discovered that PostgreSQL incorrectly handled access control
lists. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-8713)

Martin Rakhmanov, Matthieu Denais, and RyotaK discovered that the PostgreSQL
pg_dump utility allowed untrusted data inclusion. A malicious superuser
could use this issue to execute arbitrary code when a dump script is
reloaded. (CVE-2025-8714)

Noah Misch discovered that the PostgreSQL pg_dump utility incorrectly
filtered line breaks in object names. An attacker could create object names
that execute arbitrary SQL commands when a dump script is reloaded.
(CVE-2025-8715)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  postgresql-17                   17.6-0ubuntu0.25.04.1
  postgresql-client-17            17.6-0ubuntu0.25.04.1

Ubuntu 24.04 LTS
  postgresql-16                   16.10-0ubuntu0.24.04.1
  postgresql-client-16            16.10-0ubuntu0.24.04.1

Ubuntu 22.04 LTS
  postgresql-14                   14.19-0ubuntu0.22.04.1
  postgresql-client-14            14.19-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7741-1
  CVE-2025-8713, CVE-2025-8714, CVE-2025-8715

Package Information:
  https://launchpad.net/ubuntu/+source/postgresql-17/17.6-0ubuntu0.25.04.1
  https://launchpad.net/ubuntu/+source/postgresql-16/16.10-0ubuntu0.24.04.1
  https://launchpad.net/ubuntu/+source/postgresql-14/14.19-0ubuntu0.22.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250908/a930daf7/attachment.sig>

More information about the ubuntu-security-announce mailing list