Operating System:

[WIN][UNIX/Linux][Ubuntu]

Published:

16 February 2021

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2021.0561 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0561
                   USN-4735-1: PostgreSQL vulnerability
                             16 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PostgreSQL
Publisher:         Ubuntu
Operating System:  Ubuntu
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3393  

Original Bulletin: 
   https://ubuntu.com/security/notices/USN-4735-1

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Ubuntu. It is recommended that administrators 
         running PostgreSQL check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4735-1: PostgreSQL vulnerability
15 February 2021

PostgreSQL could be made to expose sensitive information.
Releases

  o Ubuntu 20.10
  o Ubuntu 20.04 LTS

Packages

  o postgresql-12 - Object-relational SQL database

Details

Heikki Linnakangas discovered that PostgreSQL incorrectly leaked values of
denied columns when handling certain errors. A remote attacker could
possibly use this issue to obtain sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 20.10

  o postgresql-12 - 12.6-0ubuntu0.20.10.1

Ubuntu 20.04

  o postgresql-12 - 12.6-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

  o CVE-2021-3393

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYCsXSeNLKJtyKPYoAQhqxw//UbFmoA0ePPoYGVYLFNc8qdpTqz0gbhrO
0l3MMvMLXfNScGn1dz7y+b5eSqwhGCVK3WUC+lvSe1fyt6QcdXsmVnuY9oy5tCYJ
gtOKk9surCTk/wZSCmXDsgsuOFD6XqTQ0JfY2PXkHLny2byU948VlZyQW3HJulJ6
baK0vy5YdhpFJ+14cSPgwQtcXXWNw/qBSk2ymkmLlvVYrOBUAgAMnmTOeU+kgJvJ
NJkwYBk2Wp5WgWPJJFpR20aoLm6Poo6dbs5akZJ+XUqpTT91vA7JRYoR7GFVrXEK
4uREi4OUcF7fC2yOSVwRJd88Cs9c322INgiXpdpONleLMv23wDyS/1UdU2tSd2lP
J9yg5dIlhXkcbQeL9yko2N0+Szo4H66LBD8EKpYKUj3gWMT3PoE9KIwP8CLDNkHi
ePahBKv8Me2KijAexeQbil43VI515eTdFVbWFgGCjIR5quVcFJGF3GAX2PWvtM2H
jXPdAMEF+PhuRYPlA+ERbDpr549c5UxokRsCJNCIq/uvtdP0vFJVQkMsHBOkDuZ2
vGxea4Gmx0bv63Dv7IO7QgUBl0s3eRsm9OytNF8ywPpV+klSDJpApqrobFFjrjMZ
4XzRYOEc0F8a5Fi/w9cEatQsSjqozD0I2lzQS+LYkB0fuWbi6eMKIn0t4juR8vC2
PcpK+ServC4=
=NTVE
-----END PGP SIGNATURE-----