ALAS-2021-1519

Amazon Linux 1 Security Advisory: ALAS-2021-1519
Advisory Release Date: 2021-07-08 18:38 Pacific
Advisory Updated Date: 2021-07-12 21:51 Pacific

Severity: Important

References: CVE-2019-10208 CVE-2020-25694 CVE-2020-25695
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function. (CVE-2019-10208)

A flaw was found in postgresql. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25694)

A flaw was found in postgresql. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25695)

Affected Packages:

postgresql92

Issue Correction:
Run yum update postgresql92 to update your system.

New Packages:

i686:
    postgresql92-pltcl-9.2.24-3.67.amzn1.i686
    postgresql92-plperl-9.2.24-3.67.amzn1.i686
    postgresql92-devel-9.2.24-3.67.amzn1.i686
    postgresql92-debuginfo-9.2.24-3.67.amzn1.i686
    postgresql92-contrib-9.2.24-3.67.amzn1.i686
    postgresql92-server-compat-9.2.24-3.67.amzn1.i686
    postgresql92-test-9.2.24-3.67.amzn1.i686
    postgresql92-docs-9.2.24-3.67.amzn1.i686
    postgresql92-9.2.24-3.67.amzn1.i686
    postgresql92-libs-9.2.24-3.67.amzn1.i686
    postgresql92-plpython27-9.2.24-3.67.amzn1.i686
    postgresql92-server-9.2.24-3.67.amzn1.i686
    postgresql92-plpython26-9.2.24-3.67.amzn1.i686

src:
    postgresql92-9.2.24-3.67.amzn1.src

x86_64:
    postgresql92-9.2.24-3.67.amzn1.x86_64
    postgresql92-libs-9.2.24-3.67.amzn1.x86_64
    postgresql92-debuginfo-9.2.24-3.67.amzn1.x86_64
    postgresql92-contrib-9.2.24-3.67.amzn1.x86_64
    postgresql92-docs-9.2.24-3.67.amzn1.x86_64
    postgresql92-test-9.2.24-3.67.amzn1.x86_64
    postgresql92-plpython26-9.2.24-3.67.amzn1.x86_64
    postgresql92-pltcl-9.2.24-3.67.amzn1.x86_64
    postgresql92-plperl-9.2.24-3.67.amzn1.x86_64
    postgresql92-server-9.2.24-3.67.amzn1.x86_64
    postgresql92-plpython27-9.2.24-3.67.amzn1.x86_64
    postgresql92-server-compat-9.2.24-3.67.amzn1.x86_64
    postgresql92-devel-9.2.24-3.67.amzn1.x86_64

Additional References

Red Hat: CVE-2019-10208, CVE-2020-25694, CVE-2020-25695

Mitre: CVE-2019-10208, CVE-2020-25694, CVE-2020-25695