Updated postgresql packages fix security vulnerabilities
Publication date: 12 Mar 2021Modification date: 12 Mar 2021
Type: security
Affected Mageia releases : 7 , 8
CVE: CVE-2021-3393 , CVE-2021-20229
Description
A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message (CVE-2021-3393). A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table. Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In installations that depend on column-level permissions for security, it is recommended to execute CREATE OR REPLACE on all user-defined views to force them to be re-parsed (CVE-2021-20229). PostgreSQL 11 was only affected by CVE-2021-3393 and both PostgreSQL 11 and 13 were affected by CVE-2021-20229. PostgreSQL 9.6 was updated to fix bugs.
References
SRPMS
8/core
- postgresql11-11.11-1.mga8
- postgresql13-13.2-1.mga8
7/core
- postgresql9.6-9.6.21-1.mga7
- postgresql11-11.11-1.mga7