Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20241117003736.GA2085@openwall.com>
Date: Sun, 17 Nov 2024 01:37:36 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21

If someone in here contributes to or follows PostgreSQL development or
announcements (which I normally don't), I'd appreciate if if they start
bringing the relevant announcements to here.  Ditto for other projects.

On Sun, Nov 17, 2024 at 12:39:27AM +0100, Solar Designer wrote:
> As announced in:
> 
> https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/
> https://www.postgresql.org/message-id/173159332163.1547975.13346191756810493274%40wrigleys.postgresql.org
> 
> new PostgreSQL updates to all supported versions fix 4 CVEs and 35
> non-security bugs.
> 
> CVE-2024-10976 PostgreSQL row security below e.g. subqueries disregards user ID changes (CVSS 4.2)
> CVE-2024-10977 PostgreSQL libpq retains an error message from man-in-the-middle (CVSS 3.1)
> CVE-2024-10978 PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID (CVSS 4.2)
> CVE-2024-10979 PostgreSQL PL/Perl environment variable changes execute arbitrary code (CVSS 8.8)

Turns out these releases caused two regressions and there "is planning
for an out-of-cycle release on November 21, 2024" to address them:

https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org

---
From: 	PostgreSQL Global Development Group <announce-noreply(at)postgresql(dot)org>
To: 	PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org>
Subject: 	Out-of-cycle release scheduled for November 21, 2024
Date: 	2024-11-15 23:29:05
Message-ID: 	173171334532.1547978.1518068370217143844@...gleys.postgresql.org

The PostgreSQL Global Development Group is planning for an out-of-cycle release on November 21, 2024 to address two regressions that were released as part of the [November 14, 2024 update release](https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/), which included releases for [17.1, 16.5, 15.9, 14.14, 13.19, and 12.21](https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/). As part of this release, we will issue fixes for all supported versions (17.2, 16.6, 15.10, 14.15, 13.20), and for 12.22, even though PostgreSQL 12 is now EOL.

While these regressions may not impact all users, the PostgreSQL Global Development Group determined that it would be better to address these sooner than the [next scheduled release on February 13, 2025](https://www.postgresql.org/developer/roadmap/). A high-level description of the regressions are as follows.

1. The fix for [CVE-2024-10978](https://www.postgresql.org/support/security/CVE-2024-10978/) [prevented `ALTER USER ... SET ROLE ...` from having any effect](https://www.postgresql.org/message-id/CADOZwSb0UsEr4_UTFXC5k7%3DfyyK8uKXekucd%2B-uuGjJsGBfxgw%40mail.gmail.com). This will be fixed in the upcoming release.

2. Certain PostgreSQL extensions took a dependency on an Application Build Interface (ABI) that was modified in this release and [caused them to break](https://www.postgresql.org/message-id/CABOikdNmVBC1LL6pY26dyxAS2f%2BgLZvTsNt%3D2XbcyG7WxXVBBQ%40mail.gmail.com). Currently, this can be mitigated by rebuilding the extensions against the updated definition.

If you are impacted by either of these issues, we advise to wait for the availability of 17.2, 16.6, 15.10, 14.15, 13.20, and 12.22 before upgrading.
---

https://www.postgresql.org/message-id/CADOZwSb0UsEr4_UTFXC5k7%3DfyyK8uKXekucd%2B-uuGjJsGBfxgw%40mail.gmail.com

---
From: 	Etienne LAFARGE <etienne(dot)lafarge(at)gmail(dot)com>
To: 	pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: 	Today's Postgres Releases break login roles
Date: 	2024-11-15 14:47:26
Message-ID: 	CADOZwSb0UsEr4_UTFXC5k7=fyyK8uKXekucd+-uuGjJsGBfxgw@...l.gmail.com

Hello,

Today, when upgrading from Postgres 15.8 to 15.9, we realized that the
login role set for a user (with ALTER USER my_user SET ROLE my_role) was
not automatically set upon login any more.

This is particularly problematic for users of HashiCorp Vault's dynamic
users (like us), who often rely on ALTER ROLE xxx SET ROLE yyy to make sure
that dynamic & short-lived users created by vault create postgres resources
as a long-lived role, and not as themselves.

We suspect this commit
<https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a5d2e6205>
to be the one that introduced this behavioral change.

I made a little testbench with docker compose so that the problem can be
reproduced easily and quickly (with comprehensive reproduction steps in the
README): https://github.com/elafarge/pg_role_bug_reproduction_testbench
(feel free to change the

I'm at your disposal if you have any questions.

Kind Regards,
-Etienne
---

---
From: 	Pavan Deolasee <pavan(dot)deolasee(at)gmail(dot)com>
To: 	pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Cc: 	Noah Misch <noah(at)leadboat(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: 	Potential ABI breakage in upcoming minor releases
Date: 	2024-11-14 10:48:02
Message-ID: 	CABOikdNmVBC1LL6pY26dyxAS2f+gLZvTsNt=2XbcyG7WxXVBBQ@...l.gmail.com

Hello,

Commit 51ff46de29f67d73549b2858f57e77ada8513369 (backported all the way
back to v12) added a new member to `ResultRelInfo` struct. This can
potentially cause ABI breakage for the extensions that allocate the struct
and pass it down to the PG code. The previously built extensions may
allocate a shorter struct, while the new PG code would expect a larger
struct, thus overwriting some memory unintentionally.

A better approach may have been what Tom did in
8cd190e13a22dab12e86f7f1b59de6b9b128c784, but I understand it might be too
late to change this since the releases are already tagged. Nevertheless, I
thought of bringing it up if others have different views.

Thanks,
Pavan
---

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.