Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2648 postgresql-jdbc security update 4 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: postgresql-jdbc Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Red Hat Enterprise Linux Server 8 Red Hat Enterprise Linux WS/Desktop 8 Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-13692 Reference: ESB-2020.2576 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:3283 https://access.redhat.com/errata/RHSA-2020:3284 https://access.redhat.com/errata/RHSA-2020:3285 https://access.redhat.com/errata/RHSA-2020:3286 Comment: This bulletin contains four (4) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: postgresql-jdbc security update Advisory ID: RHSA-2020:3283-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3283 Issue date: 2020-08-03 CVE Names: CVE-2020-13692 ===================================================================== 1. Summary: An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - noarch 3. Description: PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix(es): * postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692) This update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: postgresql-jdbc-42.2.3-3.el8_0.src.rpm noarch: postgresql-jdbc-42.2.3-3.el8_0.noarch.rpm postgresql-jdbc-javadoc-42.2.3-3.el8_0.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13692 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/5266441 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXyg2tNzjgjWX9erEAQhSIhAApjHVNIzxMJGENoOUpZROYmAPeOpqxVWO io3NL8540r5DbCKR0yCBXLS1U95zDoZUEF2I3rVwEwcrfakLGQIbcXcDKiz5I6Hn WvNMLktgIGnTOTUeLO5a0ysS8NiN+1jy4VOrI+ztBPqU27wcSnWiyIebm6UKvNBi ILwcm2BBh/ZrW13+Rhx611oeKdH4ZRgpXE310E1kDv9mt3okGrJw5PJHgU/eCush Z9j6Dl4Dae0GlULtGY7N5I+zxQyh0E/zru8ETbiUyqFkXDSPg4ui2Tw2oM8WQA1+ W5PPpz/3q499rM8hhJROKyxywR9qIbi8gHwzgs5V9sXCZDTuLi1lHvAjo66g3BgL RVl5SzuGbxbzVAPpmwOgUNK60L/QecBxMSqA++//c9c5It+oef1B+sHNf863hgVN /ZioD87UFpU1IbXBRWyTYqanoUX4YaeeGoE+HM9ooeDWV9r2yQ3QtKK6gqHc3C9D PEqtzn7Axor4jGKGqYRaF08x2edTWjSVe5lxioFnjODS360Yg/BWnekqydeCQBIC PjpZLo8s956I0pGHNI7ilVQjL44qBhF1pwnnBdmevYiC+qe9jEMV24stjOz7Mbxj m1A+CnpHsL6+UsXClSVSTZQW6UmeuiMjiTUrCiVg8FgcidjxQgwVA+adARc5vl3z EGAEoZ72OD0= =llc1 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: postgresql-jdbc security update Advisory ID: RHSA-2020:3284-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3284 Issue date: 2020-08-03 CVE Names: CVE-2020-13692 ===================================================================== 1. Summary: An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - noarch Red Hat Enterprise Linux HPC Node (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch 3. Description: PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix(es): * postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692) This update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: postgresql-jdbc-8.4.704-4.el6_10.src.rpm noarch: postgresql-jdbc-8.4.704-4.el6_10.noarch.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: postgresql-jdbc-8.4.704-4.el6_10.src.rpm noarch: postgresql-jdbc-8.4.704-4.el6_10.noarch.rpm Red Hat Enterprise Linux Server (v. 6): Source: postgresql-jdbc-8.4.704-4.el6_10.src.rpm noarch: postgresql-jdbc-8.4.704-4.el6_10.noarch.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: postgresql-jdbc-8.4.704-4.el6_10.src.rpm noarch: postgresql-jdbc-8.4.704-4.el6_10.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13692 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/5266441 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXyhDk9zjgjWX9erEAQhc/g/+IMhZ5ScHetMRZQIokUhKsxHQtxicqU/i 84FYK2tBtSoBSjG4JNo8BFU5dordJZvqZBh76FyYf4i/xaAOuxxsj7Tv6zIJEi/J 1OmUcdA+1ECFdsFB4XwK5gF+onyizoHmw6JhP4i/xBT7pb/k4FYlyjw4sN7YvOT1 ERzys0EV3phQy+1GJoXRgjQBYOjDdLY2Bl/NKEO8HItHvG4yemWd1dtHhgPbtg29 XauSFg3bgivolcXgzrBZIDP+ycSdnI9SSmr0A8wY242fdJUQ3EjUXkJftM7sFoV3 IpOrpN+EbLP1ErEZuwwHs4SsRYPuXlXoypYHT/AR8wWiBAyWNzGac8GZUtUf924V UJhdrd0Yg+yBdEbW0NTrmELcsOnKZd5UKGp1vK5HW9reftnuwo+Q58ovDWcB22Lp 9Av/XeUQ1997CTw1rJU7ZwhQ/DA6xrUBpXy54WYARtysPd4Tt4ceohzyqwSPejpu ShbwBTV0OlljL5cwCsDwbspeV+qtvzraFMZ56W760YspDXJEWEppyeywbyb3FsLl coH+sODky++OT69L71TTjYdzsChuvFDD0jCaMVKSR13MOcB1XucOsgbHu5v/k6Av NeSkrRLyXBiC4UVgiWOmEwWzxnM8pHeVNL5ahfBAjq6//RSYNjSmgqoxoRruMiw0 Jp4/jPtwmcE= =eDhR - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: postgresql-jdbc security update Advisory ID: RHSA-2020:3285-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3285 Issue date: 2020-08-03 CVE Names: CVE-2020-13692 ===================================================================== 1. Summary: An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix(es): * postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692) This update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: postgresql-jdbc-9.2.1002-8.el7_8.src.rpm noarch: postgresql-jdbc-9.2.1002-8.el7_8.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: postgresql-jdbc-javadoc-9.2.1002-8.el7_8.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: postgresql-jdbc-9.2.1002-8.el7_8.src.rpm noarch: postgresql-jdbc-9.2.1002-8.el7_8.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: postgresql-jdbc-javadoc-9.2.1002-8.el7_8.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: postgresql-jdbc-9.2.1002-8.el7_8.src.rpm noarch: postgresql-jdbc-9.2.1002-8.el7_8.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: postgresql-jdbc-javadoc-9.2.1002-8.el7_8.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: postgresql-jdbc-9.2.1002-8.el7_8.src.rpm noarch: postgresql-jdbc-9.2.1002-8.el7_8.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: postgresql-jdbc-javadoc-9.2.1002-8.el7_8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13692 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/5266441 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXyhF79zjgjWX9erEAQizpQ/8DyPGzVKS7Jqppl2onyejfmSdea44xfwP AZxG9K9l1n3tzO3K8DiO/bgOck+CTPUWPpdowJdEsLw3FT6Q51Sc2pIcs3xymn/q 9r7k46EV8fSN0Ub48V8s5rsjY6LzXZO8K05vvYtEa6mfA2iMI9Ffu3N2cJYs1Oik lgPlGmRCqHrVmW5pk2m+6aDJiMliKxOGg4amvjGi8CjZjOHXB0Rf5t6l30reFNAv fYc/BKXB2IDX8AZZYr5d/QwMbsa7TuWZU0j6lyaLVD4PRecbIM1HcoZdXVuhJ7+m hhZRr5hz8NFeWXK1OAdpUPfAdS/ZKJahttqqnt0gLUw5m+04DY7ko3RYsfoaskNr /Qtel5gklf2/Xsguy8N+4i3GSGGg+Vm4hWwtYaZ5vUMzqj6D97T+qGP8+H4Gery3 DzONStDG+XfeaeKOtnHVS3LxL4vYpDsni4vwX1IjxJeCxRxK6duIGNS8bi8m5JKG qC44s8z3CAHgSukrOnRKEWgJ56d04otgB2G7WZ4VGDMQIsT0Tao3S4vhtKq+3HZ4 rOCsryWE8KXS4Gz/2MyETIsn7aI9ALxb+4uMLZ1GyF/iOCqiqTOJLT0GnbK7TQsv DLrtYhcSRke8S88t54m2nwW+jkFXWdKjBrg/JvJzJv8/P7OVM8pqZhqbHfT5vMXD ClAuLK4qExE= =u73N - -----END PGP SIGNATURE----- - --------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: postgresql-jdbc security update Advisory ID: RHSA-2020:3286-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3286 Issue date: 2020-08-03 CVE Names: CVE-2020-13692 ===================================================================== 1. Summary: An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - noarch 3. Description: PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix(es): * postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692) This update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: postgresql-jdbc-42.2.3-3.el8_1.src.rpm noarch: postgresql-jdbc-42.2.3-3.el8_1.noarch.rpm postgresql-jdbc-javadoc-42.2.3-3.el8_1.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13692 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/5266441 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXyhBQNzjgjWX9erEAQj0BBAAjk2lRPYoKRGvceXncvz5L6/pItjMDhAL rh7KWpVCx5W4RX+3Yy4pu/0giz8sdEWBH0s2L2affHMD8k/hKUAu/0TdF0SA2EJ6 QT5h+eBnyKtuv2Is0cAVBAbDLRHhNODJ1bUq1EkNZxdGQB6JL2uExpwAYyfYcmNe FNf3BdUnShaTcKy3XuU6JL3idbCG2R3J5Af8CAaywMXUok2+dYNNKBCjneZHmLsI gzwc6scZ0FWVRLrzm8Ez483oQ66XmSryrNeZLptg9xdqFoJ9nFO5JugYIl2kUMGG 0ECzSnYGrqPPGDG5oX63dWGZpfr4+RJCM21xPgMvxaLeeBeXfmI0uRtMarBzTHip 5apDrh76+W4W9EA/Iyp71ADUOSnuOW990NF5asxW64mRBdscUtZ9NUXW5F8RU38k CNhFZRRcZpUIzj4mYkrHApfav7GFHGQbXWsfcbp6KUkYgwjVsDoISSUrqK1wUzBV GOMIkO3zxhH+DGfzME0aa6JQ5k1eO+UWJ2yaX4GmiCM5E1iPQdkZ72b6a7gRVrtO Z7M1R6XZuIaJXNTQW3Yfp7gLBjeNoYVazmEcpOMJU3QXzAHZiIa0n0hJOd1YI2U3 PUx0P8WHJRADRg9d4KGQVfcFVcmOhfzIpDgFuwfx94Xxx87Ec+M+kFfJpqS+LyJI 5WMKjkCx6ZM= =7nPI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXyiibuNLKJtyKPYoAQgzog/8DbteWKpGtYVnnXCYUodRf8iF1Tl4z1Qg mMVbaErqKBu3wlnqFgdTZuc1Rh0VLMu3HPVleZNIfsG7iXyW7lDaYS/GsweKF7xB 3fIwU+90yurws0BJxK8fvzw632t1fQ1HpKg7wPhmekrezcRSxWEqGvwwwdPjjuWT YcKyB4v5N2gysXFOAUUNBGLaSoCC2mcq74Ej0rFUGrtfoBxWYAatUXHJitIBWlWD fqrTSbln2evBTvxD1p7M8faLGxOLSEN+KOyjIur0YnK4FcKuLq13lCe+N8IwjljI voPMZZF76fsYe+vvCLa5wueNVY5Nal92+/t4UJBL24PlCg3gPhYq0UELAmBIvEXx O8gbZhxZ6OchpX5SUxSlVqn90GlJFTqNdnnyiALvbsKV4CG909npUFrepjHsowri +7/pUgoi/4vlmIGyInmzKGJfh5XZHGORYs6HeQz3yAvVWbNFaNs9IHFtDZgEeJG7 1PxEtYD9VN6yA7CdDqEucUMs2vd1Pw7L6gZJfsZNWWhADkjdRLi/9JOhL79o29U4 4Aoo4m2IIG8af49EIqMBxgb1wIicSoKvFeg4x9gHVDxOwOjarlXAcx0VJFOwyBu5 0PJVWbHerQTuP4jrtRuN52D9bP3E+NlC/SkwT0GGWAifjMzN+hAmm6OcQrepqN4H 3SZ9ecaxwRw= =YGCp -----END PGP SIGNATURE-----