USN-5038-1: PostgreSQL vulnerabilities

Releases

• Ubuntu 21.04
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM

Packages

• postgresql-10 - Object-relational SQL database
• postgresql-12 - Object-relational SQL database
• postgresql-13 - Object-relational SQL database

Details

It was discovered that the PostgresQL planner could create incorrect plans
in certain circumstances. A remote attacker could use this issue to cause
PostgreSQL to crash, resulting in a denial of service, or possibly obtain
sensitive information from memory. This issue only affected Ubuntu 20.04
LTS and Ubuntu 21.04. (CVE-2021-3677)

It was discovered that PostgreSQL incorrectly handled certain SSL
renegotiation ClientHello messages from clients. A remote attacker could
possibly use this issue to cause PostgreSQL to crash, resulting in a denial
of service. (CVE-2021-3449)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 21.04

• postgresql-13 - 13.4-0ubuntu0.21.04.1

Ubuntu 20.04

• postgresql-12 - 12.8-0ubuntu0.20.04.1

Ubuntu 18.04

• postgresql-10 - 10.18-0ubuntu0.18.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

• CVE-2021-3449
• CVE-2021-3677

Related notices

• USN-4891-1: openssl, libssl-doc, libssl1.1-udeb, libssl-dev, libcrypto1.1-udeb, libssl1.1