CVE-2023-39418

NameCVE-2023-39418
DescriptionA vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5553-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postgresql-11 (PTS)buster11.16-0+deb10u1fixed
buster (security)11.22-0+deb10u1fixed
postgresql-13 (PTS)bullseye13.13-0+deb11u1fixed
bullseye (security)13.14-0+deb11u1fixed
postgresql-15 (PTS)bookworm15.5-0+deb12u1fixed
bookworm (security)15.6-0+deb12u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-11source(unstable)(not affected)
postgresql-13source(unstable)(not affected)
postgresql-15sourcebookworm15.5-0+deb12u1DSA-5553-1
postgresql-15source(unstable)15.4-1

Notes

- postgresql-13 <not-affected> (Only affects 15.x)
- postgresql-11 <not-affected> (Only affects 15.x)
https://www.postgresql.org/support/security/CVE-2023-39418/
https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229 (REL_15_4)

Search for package or bug name: Reporting problems