git: 22c09215c08f - main - security/vuxml: add issue for PostgreSQL

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Palle Girgensohn <girgen_at_FreeBSD.org>
Date: Thu, 08 Feb 2024 21:29:19 UTC
The branch main has been updated by girgen:

URL: https://cgit.FreeBSD.org/ports/commit/?id=22c09215c08ff9ff04e5d6449bebab7638156aee

commit 22c09215c08ff9ff04e5d6449bebab7638156aee
Author:     Palle Girgensohn <girgen@FreeBSD.org>
AuthorDate: 2024-02-08 17:19:42 +0000
Commit:     Palle Girgensohn <girgen@FreeBSD.org>
CommitDate: 2024-02-08 21:28:35 +0000

    security/vuxml: add issue for PostgreSQL
    
    https://www.postgresql.org/support/security/CVE-2024-0985/
---
 security/vuxml/vuln/2024.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index 9851cfba660c..0407963b8561 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,42 @@
+  <vuln vid="19e6dd1b-c6a5-11ee-9cd0-6cc21735f730">
+    <topic>postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</topic>
+    <affects>
+      <package>
+	<name>postgresql-server</name>
+	<range><lt>15.6</lt></range>
+	<range><lt>14.11</lt></range>
+	<range><lt>13.14</lt></range>
+	<range><lt>12.18</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>PostgreSQL Project reports:</p>
+	<blockquote cite="https://www.postgresql.org/support/security/CVE-2024-0985/">
+	  <p>
+	    One step of a concurrent refresh command was run under
+	    weak security restrictions. If a materialized view's
+	    owner could persuade a superuser or other
+	    high-privileged user to perform a concurrent refresh on
+	    that view, the view's owner could control code executed
+	    with the privileges of the user running REFRESH. The fix
+	    for the vulnerability makes is so that all
+	    user-determined code is run as the view's owner, as
+	    expected.
+	  </p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>2024-0985</cvename>
+      <url>https://www.postgresql.org/support/security/CVE-2024-0985/</url>
+    </references>
+    <dates>
+      <discovery>2024-02-08</discovery>
+      <entry>2024-02-08</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="6b2cba6a-c6a5-11ee-97d0-001b217b3468">
     <topic>Gitlab -- vulnerabilities</topic>
     <affects>