An update for postgresql is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2055 Final 1.0 1.0 2024-08-23 Initial 2024-08-23 2024-08-23 openEuler SA Tool V1.0 2024-08-23 postgresql security update An update for postgresql is now available for openEuler-22.03-LTS-SP4 PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server. Security Fix(es): Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.(CVE-2024-7348) An update for postgresql is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High postgresql https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2055 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-7348 https://nvd.nist.gov/vuln/detail/CVE-2024-7348 openEuler-22.03-LTS-SP4 postgresql-13.16-1.oe2203sp4.aarch64.rpm postgresql-contrib-13.16-1.oe2203sp4.aarch64.rpm postgresql-debuginfo-13.16-1.oe2203sp4.aarch64.rpm postgresql-debugsource-13.16-1.oe2203sp4.aarch64.rpm postgresql-docs-13.16-1.oe2203sp4.aarch64.rpm postgresql-llvmjit-13.16-1.oe2203sp4.aarch64.rpm postgresql-plperl-13.16-1.oe2203sp4.aarch64.rpm postgresql-plpython3-13.16-1.oe2203sp4.aarch64.rpm postgresql-pltcl-13.16-1.oe2203sp4.aarch64.rpm postgresql-private-devel-13.16-1.oe2203sp4.aarch64.rpm postgresql-private-libs-13.16-1.oe2203sp4.aarch64.rpm postgresql-server-13.16-1.oe2203sp4.aarch64.rpm postgresql-server-devel-13.16-1.oe2203sp4.aarch64.rpm postgresql-static-13.16-1.oe2203sp4.aarch64.rpm postgresql-test-13.16-1.oe2203sp4.aarch64.rpm postgresql-13.16-1.oe2203sp4.src.rpm postgresql-13.16-1.oe2203sp4.x86_64.rpm postgresql-contrib-13.16-1.oe2203sp4.x86_64.rpm postgresql-debuginfo-13.16-1.oe2203sp4.x86_64.rpm postgresql-debugsource-13.16-1.oe2203sp4.x86_64.rpm postgresql-docs-13.16-1.oe2203sp4.x86_64.rpm postgresql-llvmjit-13.16-1.oe2203sp4.x86_64.rpm postgresql-plperl-13.16-1.oe2203sp4.x86_64.rpm postgresql-plpython3-13.16-1.oe2203sp4.x86_64.rpm postgresql-pltcl-13.16-1.oe2203sp4.x86_64.rpm postgresql-private-devel-13.16-1.oe2203sp4.x86_64.rpm postgresql-private-libs-13.16-1.oe2203sp4.x86_64.rpm postgresql-server-13.16-1.oe2203sp4.x86_64.rpm postgresql-server-devel-13.16-1.oe2203sp4.x86_64.rpm postgresql-static-13.16-1.oe2203sp4.x86_64.rpm postgresql-test-13.16-1.oe2203sp4.x86_64.rpm postgresql-test-rpm-macros-13.16-1.oe2203sp4.noarch.rpm Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. 2024-08-23 CVE-2024-7348 openEuler-22.03-LTS-SP4 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H postgresql security update 2024-08-23 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2055