| Package | postgresql-11 |
|---|---|
| Version | 11.22-0+deb10u4 (buster) |
| Related CVEs | CVE-2024-10976 CVE-2024-10977 CVE-2024-10978 CVE-2024-10979 |
Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation, or log manipulation.
CVE-2024-10976
Incomplete tracking in PostgreSQL of tables with row security allows a
reused query to view or change different rows from those intended. It
leads to potentially incorrect policies being applied in cases where
role-specific policies are used and a given query is planned under one
role and then executed under other roles.
CVE-2024-10977
Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.
CVE-2024-10978
Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.
CVE-2024-10979
Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).
For Debian 10 buster, these problems have been fixed in version 11.22-0+deb10u4.
We recommend that you upgrade your postgresql-11 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.