Bugzilla – Bug 1224038
VUL-0: CVE-2024-4317: postgresql14,postgresql15,postgresql16: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner
Last modified: 2024-07-02 12:30:26 UTC
CRD: 2024-05-08 via reinhard / postgresql predisclosure • Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (Nathan Bossart) These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table. The PostgreSQL Project thanks Lukas Fittl for reporting this problem. (CVE-2024-4317) and then after fixing template0, undo it with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following: 1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix. 2. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like \i /usr/share/postgresql/fix-CVE-2024-4317.sql (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once. 3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; and then after fixing template0, undo it with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
CRD: 2024-05-09
Public: https://www.postgresql.org/support/security/CVE-2024-4317/
This is an autogenerated message for OBS integration: This bug (1224038) was mentioned in https://build.opensuse.org/request/show/1172960 Factory / postgresql16 https://build.opensuse.org/request/show/1172961 Factory / postgresql15 https://build.opensuse.org/request/show/1172962 Factory / postgresql14
SUSE-SU-2024:1653-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:33784](https://smelt.suse.de/incident/33784/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql15-15.7-3.25.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql15-15.7-3.25.1 SUSE Linux Enterprise Server 12 SP5 (src): postgresql15-15.7-3.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql15-15.7-3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1652-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:33783](https://smelt.suse.de/incident/33783/) Sources used: openSUSE Leap 15.5 (src): postgresql16-mini-16.3-150200.5.13.1, postgresql16-16.3-150200.5.13.1 Basesystem Module 15-SP5 (src): postgresql16-16.3-150200.5.13.1 SUSE Package Hub 15 15-SP5 (src): postgresql16-16.3-150200.5.13.1 Server Applications Module 15-SP5 (src): postgresql16-16.3-150200.5.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1651-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:33782](https://smelt.suse.de/incident/33782/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql16-16.3-3.13.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql16-16.3-3.13.1 SUSE Linux Enterprise Server 12 SP5 (src): postgresql16-16.3-3.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql16-16.3-3.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1703-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:33786](https://smelt.suse.de/incident/33786/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql14-14.12-3.41.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql14-14.12-3.41.1 SUSE Linux Enterprise Server 12 SP5 (src): postgresql14-14.12-3.41.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql14-14.12-3.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1768-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:33787](https://smelt.suse.de/incident/33787/) Sources used: openSUSE Leap 15.5 (src): postgresql14-14.12-150200.5.44.1 Legacy Module 15-SP5 (src): postgresql14-14.12-150200.5.44.1 SUSE Package Hub 15 15-SP5 (src): postgresql14-14.12-150200.5.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1777-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:33785](https://smelt.suse.de/incident/33785/) Sources used: openSUSE Leap 15.5 (src): postgresql15-15.7-150200.5.27.1 Basesystem Module 15-SP5 (src): postgresql15-15.7-150200.5.27.1 Server Applications Module 15-SP5 (src): postgresql15-15.7-150200.5.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2266-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:34478](https://smelt.suse.de/incident/34478/) Sources used: openSUSE Leap 15.6 (src): postgresql16-16.2-150600.16.2.1, postgresql16-mini-16.2-150600.16.2.1 Basesystem Module 15-SP6 (src): postgresql16-16.2-150600.16.2.1 Server Applications Module 15-SP6 (src): postgresql16-16.2-150600.16.2.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2262-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:34500](https://smelt.suse.de/incident/34500/) Sources used: openSUSE Leap 15.6 (src): postgresql14-14.12-150600.16.3.1 SUSE Package Hub 15 15-SP6 (src): postgresql14-14.12-150600.16.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2261-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1224038, 1224051 CVE References: CVE-2024-4317 Maintenance Incident: [SUSE:Maintenance:34499](https://smelt.suse.de/incident/34499/) Sources used: openSUSE Leap 15.6 (src): postgresql15-15.7-150600.16.3.1 Legacy Module 15-SP6 (src): postgresql15-15.7-150600.16.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.