FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-02-02 08:34:31 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
3831292b-a29d-11ef-af48-6cc21735f730	PostgreSQL -- PostgreSQL row security below e.g. subqueries disregards user ID changes PostgreSQL project reports: Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Discovery 2024-11-14 Entry 2024-11-14 postgresql17-server < 17.1 postgresql16-server < 16.5 postgresql15-server < 15.9 postgresql14-server < 14.14 postgresql13-server < 13.17 postgresql12-server < 12.21 CVE-2024-10976 https://www.postgresql.org/support/security/CVE-2024-10976/

VuXML ID

Description

3831292b-a29d-11ef-af48-6cc21735f730

PostgreSQL -- PostgreSQL row security below e.g. subqueries disregards user ID changes

PostgreSQL project reports:

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies.

Discovery 2024-11-14
Entry 2024-11-14
postgresql17-server

< 17.1

postgresql16-server

< 16.5

postgresql15-server

< 15.9

postgresql14-server

< 14.14

postgresql13-server

< 13.17

postgresql12-server

< 12.21

CVE-2024-10976
https://www.postgresql.org/support/security/CVE-2024-10976/