| Package | postgresql-9.4 |
|---|---|
| Version | 9.4.26-0+deb8u8 (jessie) |
| Related CVEs | CVE-2023-5869 CVE-2023-39417 |
Several security vulnerabilities have been found in PostgreSQL, an advanced open source database.
CVE-2023-5869
While modifying certain SQL array values, missing overflow checks let
authenticated database users write arbitrary bytes to a memory area that
facilitates arbitrary code execution. Missing overflow checks also let
authenticated database users read a wide area of server memory. The
CVE-2021-32027 fix covered some attacks of this description, but it missed
others.
CVE-2023-39417
In the EXTENSION SCRIPT, a SQL Injection vulnerability was found in
PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a
quoting construct (dollar quoting, '', or ""). If an administrator has
installed files of a vulnerable, trusted, non-bundled extension, an
attacker with database-level CREATE privilege can execute arbitrary code as
the bootstrap superuser.
For Debian 8 jessie, these problems have been fixed in version 9.4.26-0+deb8u8.
We recommend that you upgrade your postgresql-9.4 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.