Amazon Linux 2 Security Advisory: ALASPOSTGRESQL12-2023-002
Advisory Release Date: 2023-08-07 05:59 Pacific
Advisory Updated Date: 2024-08-28 19:02 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
2024-08-28: CVE-2021-3677 was added to this advisory.
2024-02-29: CVE-2021-23222 was added to this advisory.
A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. (CVE-2021-23222)
A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting. (CVE-2021-3677)
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity. (CVE-2022-1552)
Affected Packages:
postgresql
Note:
This advisory is applicable to Amazon Linux 2 - Postgresql12 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update postgresql to update your system.
aarch64:
postgresql-12.11-3.amzn2.0.2.aarch64
postgresql-server-12.11-3.amzn2.0.2.aarch64
postgresql-docs-12.11-3.amzn2.0.2.aarch64
postgresql-contrib-12.11-3.amzn2.0.2.aarch64
postgresql-server-devel-12.11-3.amzn2.0.2.aarch64
postgresql-static-12.11-3.amzn2.0.2.aarch64
postgresql-upgrade-12.11-3.amzn2.0.2.aarch64
postgresql-upgrade-devel-12.11-3.amzn2.0.2.aarch64
postgresql-plperl-12.11-3.amzn2.0.2.aarch64
postgresql-plpython2-12.11-3.amzn2.0.2.aarch64
postgresql-plpython3-12.11-3.amzn2.0.2.aarch64
postgresql-pltcl-12.11-3.amzn2.0.2.aarch64
postgresql-test-12.11-3.amzn2.0.2.aarch64
postgresql-llvmjit-12.11-3.amzn2.0.2.aarch64
postgresql-debuginfo-12.11-3.amzn2.0.2.aarch64
i686:
postgresql-12.11-3.amzn2.0.2.i686
postgresql-server-12.11-3.amzn2.0.2.i686
postgresql-docs-12.11-3.amzn2.0.2.i686
postgresql-contrib-12.11-3.amzn2.0.2.i686
postgresql-server-devel-12.11-3.amzn2.0.2.i686
postgresql-static-12.11-3.amzn2.0.2.i686
postgresql-upgrade-12.11-3.amzn2.0.2.i686
postgresql-upgrade-devel-12.11-3.amzn2.0.2.i686
postgresql-plperl-12.11-3.amzn2.0.2.i686
postgresql-plpython2-12.11-3.amzn2.0.2.i686
postgresql-plpython3-12.11-3.amzn2.0.2.i686
postgresql-pltcl-12.11-3.amzn2.0.2.i686
postgresql-test-12.11-3.amzn2.0.2.i686
postgresql-llvmjit-12.11-3.amzn2.0.2.i686
postgresql-debuginfo-12.11-3.amzn2.0.2.i686
noarch:
postgresql-test-rpm-macros-12.11-3.amzn2.0.2.noarch
src:
postgresql-12.11-3.amzn2.0.2.src
x86_64:
postgresql-12.11-3.amzn2.0.2.x86_64
postgresql-server-12.11-3.amzn2.0.2.x86_64
postgresql-docs-12.11-3.amzn2.0.2.x86_64
postgresql-contrib-12.11-3.amzn2.0.2.x86_64
postgresql-server-devel-12.11-3.amzn2.0.2.x86_64
postgresql-static-12.11-3.amzn2.0.2.x86_64
postgresql-upgrade-12.11-3.amzn2.0.2.x86_64
postgresql-upgrade-devel-12.11-3.amzn2.0.2.x86_64
postgresql-plperl-12.11-3.amzn2.0.2.x86_64
postgresql-plpython2-12.11-3.amzn2.0.2.x86_64
postgresql-plpython3-12.11-3.amzn2.0.2.x86_64
postgresql-pltcl-12.11-3.amzn2.0.2.x86_64
postgresql-test-12.11-3.amzn2.0.2.x86_64
postgresql-llvmjit-12.11-3.amzn2.0.2.x86_64
postgresql-debuginfo-12.11-3.amzn2.0.2.x86_64