==========================================================================
Ubuntu Security Notice USN-6656-1
February 26, 2024
postgresql-12, postgresql-14, postgresql-15 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
PostgreSQL could be made to run arbitrary SQL.
Software Description:
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
- postgresql-12: Object-relational SQL database
Details:
It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
   postgresql-15                   15.6-0ubuntu0.23.10.1
   postgresql-client-15            15.6-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
   postgresql-14                   14.11-0ubuntu0.22.04.1
   postgresql-client-14            14.11-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
   postgresql-12                   12.18-0ubuntu0.20.04.1
   postgresql-client-12            12.18-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
   https://ubuntu.com/security/notices/USN-6656-1
   CVE-2024-0985
Package Information:
   https://launchpad.net/ubuntu/+source/postgresql-15/15.6-0ubuntu0.23.10.1
   https://launchpad.net/ubuntu/+source/postgresql-14/14.11-0ubuntu0.22.04.1
   https://launchpad.net/ubuntu/+source/postgresql-12/12.18-0ubuntu0.20.04.1