Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4275 rh-postgresql12/13-postgresql security update 17 December 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rh-postgresql13-postgresql rh-postgresql12-postgresql Publisher: Red Hat Operating System: Red Hat Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-23222 CVE-2021-23214 CVE-2021-3677 Reference: ESB-2021.4239 ESB-2021.3253 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:5179 https://access.redhat.com/errata/RHSA-2021:5197 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-postgresql13-postgresql security update Advisory ID: RHSA-2021:5179-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2021:5179 Issue date: 2021-12-16 CVE Names: CVE-2021-3677 CVE-2021-23214 CVE-2021-23222 ===================================================================== 1. Summary: An update for rh-postgresql13-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: rh-postgresql13-postgresql (13.5). Security Fix(es): * postgresql: memory disclosure in certain queries (CVE-2021-3677) * postgresql: server processes unencrypted bytes from man-in-the-middle (CVE-2021-23214) * postgresql: libpq processes unencrypted bytes from man-in-the-middle (CVE-2021-23222) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 If the postgresql service is running, it will be automatically restarted after installing this update. 5. Bugs fixed (https://bugzilla.redhat.com/): 2001857 - CVE-2021-3677 postgresql: memory disclosure in certain queries 2022666 - CVE-2021-23214 postgresql: server processes unencrypted bytes from man-in-the-middle 2022675 - CVE-2021-23222 postgresql: libpq processes unencrypted bytes from man-in-the-middle 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-postgresql13-postgresql-13.5-1.el7.src.rpm ppc64le: rh-postgresql13-postgresql-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-contrib-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-contrib-syspaths-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-debuginfo-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-devel-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-docs-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-libs-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-plperl-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-plpython-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-plpython3-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-pltcl-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-server-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-server-syspaths-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-static-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-syspaths-13.5-1.el7.ppc64le.rpm rh-postgresql13-postgresql-test-13.5-1.el7.ppc64le.rpm s390x: rh-postgresql13-postgresql-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-contrib-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-contrib-syspaths-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-debuginfo-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-devel-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-docs-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-libs-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-plperl-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-plpython-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-plpython3-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-pltcl-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-server-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-server-syspaths-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-static-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-syspaths-13.5-1.el7.s390x.rpm rh-postgresql13-postgresql-test-13.5-1.el7.s390x.rpm x86_64: rh-postgresql13-postgresql-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-contrib-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-contrib-syspaths-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-debuginfo-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-devel-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-docs-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-libs-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-plperl-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-plpython-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-plpython3-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-pltcl-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-server-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-server-syspaths-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-static-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-syspaths-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-test-13.5-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-postgresql13-postgresql-13.5-1.el7.src.rpm x86_64: rh-postgresql13-postgresql-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-contrib-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-contrib-syspaths-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-debuginfo-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-devel-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-docs-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-libs-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-plperl-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-plpython-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-plpython3-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-pltcl-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-server-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-server-syspaths-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-static-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-syspaths-13.5-1.el7.x86_64.rpm rh-postgresql13-postgresql-test-13.5-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3677 https://access.redhat.com/security/cve/CVE-2021-23214 https://access.redhat.com/security/cve/CVE-2021-23222 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYbuXmdzjgjWX9erEAQhvZA//dYfaVYzxyxziVcoIppyy2lvWPepUqH3o 9tR7Qak57MRdqlQAZi/P0D8hPXr6pwdsYIy3aFi/Qphubbe/bZuk27ZyGCGPDx4K bxMsxwdk/ErcOVp9lU7m44tRM6Q4uylHqeXBAccoTyoFWOerlCoNrV8Miz8AJiGe mABDJPiwFqJoqADosMK/mpj/pvztUg9+Gt+mWSkVfDETkVaWbESIHX4+rv7/coZS DVttzECI/IuD3T/7NTxMor4cQjrSLY+HNGc5UrvIuWNShg7YRU6MXEd3yM44HAo0 82ZZQaKnZgwW+83I2mHuRdl3AOsM2o2FzbCe4/oR9Z1+rdedcTeGANlf7hIeGOM8 coHF6dxGFMh2bymXxLOzpIA5iTyoK83ulxzsO0qrOLTT5iT9KrSF1J+eovqidVQX 6ndyuA4O5D4a0p61THVvHqJTIWbg+64v4JgXGNIrQDxXIcSYSd4Kp4WlSXy9Ge0p SFFhSxbpuPngakB+R5bZ9jn9pTVs6R5Vd4dDrsUkPbxWD7+Mpb9Atzl3tRI5y2yv CvRfIGxUqOa3XjfI6GYX4CoaK+6YhLnFvzC/qaf6ZkSwa4oZ1kwgx2ShHpxEgxI1 oUPV+/lOIe52sUR9vFSVJeVmlK3Rs5V/85uA7Nupx9NF6JIed4sZ6cG4WPGM6Ceh pOpmMYyNNUI= =0uC2 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-postgresql12-postgresql security update Advisory ID: RHSA-2021:5197-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2021:5197 Issue date: 2021-12-16 CVE Names: CVE-2021-3677 CVE-2021-23214 CVE-2021-23222 ===================================================================== 1. Summary: An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: rh-postgresql12-postgresql (12.9). Security Fix(es): * postgresql: memory disclosure in certain queries (CVE-2021-3677) * postgresql: server processes unencrypted bytes from man-in-the-middle (CVE-2021-23214) * postgresql: libpq processes unencrypted bytes from man-in-the-middle (CVE-2021-23222) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 If the postgresql service is running, it will be automatically restarted after installing this update. 5. Bugs fixed (https://bugzilla.redhat.com/): 2001857 - CVE-2021-3677 postgresql: memory disclosure in certain queries 2022666 - CVE-2021-23214 postgresql: server processes unencrypted bytes from man-in-the-middle 2022675 - CVE-2021-23222 postgresql: libpq processes unencrypted bytes from man-in-the-middle 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-postgresql12-postgresql-12.9-1.el7.src.rpm ppc64le: rh-postgresql12-postgresql-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-contrib-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-contrib-syspaths-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-debuginfo-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-devel-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-docs-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-libs-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-plperl-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-plpython-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-pltcl-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-server-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-server-syspaths-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-static-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-syspaths-12.9-1.el7.ppc64le.rpm rh-postgresql12-postgresql-test-12.9-1.el7.ppc64le.rpm s390x: rh-postgresql12-postgresql-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-contrib-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-contrib-syspaths-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-debuginfo-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-devel-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-docs-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-libs-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-plperl-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-plpython-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-pltcl-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-server-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-server-syspaths-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-static-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-syspaths-12.9-1.el7.s390x.rpm rh-postgresql12-postgresql-test-12.9-1.el7.s390x.rpm x86_64: rh-postgresql12-postgresql-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-contrib-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-contrib-syspaths-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-debuginfo-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-devel-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-docs-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-libs-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-plperl-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-plpython-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-pltcl-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-server-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-server-syspaths-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-static-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-syspaths-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-test-12.9-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-postgresql12-postgresql-12.9-1.el7.src.rpm x86_64: rh-postgresql12-postgresql-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-contrib-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-contrib-syspaths-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-debuginfo-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-devel-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-docs-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-libs-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-plperl-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-plpython-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-pltcl-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-server-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-server-syspaths-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-static-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-syspaths-12.9-1.el7.x86_64.rpm rh-postgresql12-postgresql-test-12.9-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3677 https://access.redhat.com/security/cve/CVE-2021-23214 https://access.redhat.com/security/cve/CVE-2021-23222 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYbuXetzjgjWX9erEAQgkvBAAnferJ5j44HK7yiCMceWWYwHOHJgbJiEv V7HhN9m1nIxZnT+z4e6d77xMAKHXcuFx8Nn9DDetBgLeQ+mAYqDk79mXFPXfYxEC rjHoqex2vjXSe1/sYSPaw9DhLXHaQK1mxu80qk/4niLMXRwF3tAI/u6C1QNa7E3r p4d9RUmGQoHQSs4onpmrYYdhAQk/g/riMOpmGm4ZVT5c27L3TJ8cbDzYgxTqzxqn +HaCEPy5aTwK/z5/HouAnQx8cRbj/a4gNXAJIF35ZzNAtDl9hSGiYns5D7BYHnOs QB9j3J7tBAu+U2Zs0Ze8QcY0/XvLsb7sfB09dTsojgC3KRVSvIAxgFIgHEmPrxh1 MZPdjyU+x3WCD7R42HQBeyPxurWhYmvUATKqNdJ3c5aX5RKcyvOSWXvyJYyhS4NA mN1RCh3COE/JiEmALfSXGKtUlOJQlUfAy3EBjra4zXpp1hIQjAfBzCozvbITc0NR X9g7rEU+xUaRJ+nXmLcCe1AdMSaRCmDCK+v/YsdP1A/GuXLt9i0s3vEWyjfVRrIm WUHRJtaKG/FhRgmHInGoFIzgfp0dZQuP4nyKkf0iHXQJ1UtlDKc1uYx9ethM/Xhw vIgWBiouR1angdIgqEvTjt1ORrQMFz7101WoZGTTS8oLHwRoNESKpz6DrekSf5vn AM1bXQVQAso= =sk3x - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYbvIqONLKJtyKPYoAQivPw//fye7tJLBkLYvybE34ZZrz910f+quXT64 ssHu517I0M/mmZ0NWZc7QrJabiKWRee+lS/wfxZA6q4Numn3uGxOPN5yNLnfMFxe 5LRu91H5Cd3nlmy6bdEVmHG3dLeJTu1vvYWJIm4BhnuSq88BQYezWU+mk+vPsE+5 N+38FGSR2Zm80wwdOTywEuNjOjmLqRr/pheElmQq1+Ma5Ub92zhX9jxWZTTXCvrP vI4khLmDdKsYAZ7MiteFGPwsasUawMiKJuGss48FohVM+0uNLNOt7SNid6i8V/xV 97j+agQkpsyS76WB0uwsszSVwmB/Zvr3y/+36V3+YNprAKQZXfyxQQDSo3mOi0ax 2zJm04aH3ndcLl3h1It/UHvyWfzmqP/TBDgW8sCLftTsUnnyA9cUdtRnu7o0+ss7 mc1Tw2iUN07a6mXHEQrsAFDn95gakhQTQxMnRhFwKYwSn5pUGg/oE8iRh4SZPfsu Jn8CRg/mZE1XwKpvQMijUFkVhMbE+onlVWIzVulXqgS8xxupM05HuGSjKiPATtdZ +eIlfzzSZZRhP/oPWS6k68MPpbZA0ZEkeHwr0vnRtdHaysey/aixe2JznkOnXL3I vZhDU2o5sNp1A0uT9fbHINs+fEMSBGTi/Cr5yoR0MF/0402zCfcH/GrzBd3PlYWt G0RTVu6lT+g= =Zpe+ -----END PGP SIGNATURE-----