PostgreSQL is een open source relational database management system, dat op diverse besturingssystemen kan worden gedraaid. Hierdoor is het breed inzetbaar in verschillende omgevingen. De ontwikkelaars hebben vorige maand een reeks nieuwe versies uitgebracht, met 13.1, 12.5, 11.10, 10.15, 9.6.20 en 9.5.24 als versienummers. Gebruikers van oudere uitgaven wordt aangeraden om te upgraden. De bijbehorende aankondiging van PostgreSQL ziet er als volgt uit: PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24 Released! The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24. This release closes three security vulnerabilities and fixes over 65 bugs reported over the last three months. Due to the nature of CVE-2020-25695, we advise you to update as soon as possible. Additionally, this is the second-to-last release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade. For the full list of changes, please review the release notes. CVE-2020-25695: Multiple features escape “security restricted operation” sandbox Versions Affected: 9.5 – 13. The security team typically does not test unsupported versions, but this problem is quite old. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object. The PostgreSQL project thanks Etienne Stalmans for reporting this problem. CVE-2020-25694: Reconnection can downgrade connection security settings Versions Affected: 9.5 – 13. The security team typically does not test unsupported versions, but this problem is quite old. Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission. Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter. This also fixes how the connect command of psql reuses connection parameters, i.e. all non-overridden parameters from a previous connection string now re-used. The PostgreSQL project thanks Peter Eisentraut for reporting this problem. CVE-2020-25696: psql’s gset allows overwriting specially treated variables Versions Affected: 9.5 – 13. The security team typically does not test unsupported versions, but this problem likely arrived with the feature’s debut in version 9.3. The gset meta-command, which sets psql variables based on query results, does not distinguish variables that control psql behavior. If an interactive psql session uses gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. Using gset with a prefix not found among specially treated variables, e.g. any lowercase string, precludes the attack in an unpatched psql. The PostgreSQL project thanks Nick Cleaton for reporting this problem. Bug Fixes and Improvements This update also fixes over 65 bugs that were reported in the last several months. Some of these issues only affect version 13, but may also apply to other supported versions. Some of these fixes include: