CVE-2020-1720

NameCVE-2020-1720
DescriptionA flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2105-1, DSA-4622-1, DSA-4623-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postgresql-11 (PTS)buster, buster (lts)11.22-0+deb10u3fixed
buster (security)11.22-0+deb10u2fixed
postgresql-9.4 (PTS)jessie, jessie (lts)9.4.26-0+deb8u10fixed
postgresql-9.6 (PTS)stretch (security)9.6.24-0+deb9u1fixed
stretch (lts), stretch9.6.24-0+deb9u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-11sourcebuster11.7-0+deb10u1DSA-4623-1
postgresql-11source(unstable)(unfixed)
postgresql-12source(unstable)12.2-1
postgresql-9.4sourcewheezy(unfixed)end-of-life
postgresql-9.4sourcejessie9.4.26-0+deb8u1DLA-2105-1
postgresql-9.4source(unstable)(unfixed)
postgresql-9.6sourcestretch9.6.17-0+deb9u1DSA-4622-1
postgresql-9.6source(unstable)(unfixed)

Notes

https://www.postgresql.org/about/news/2011/
Fixed in 12.2, 11.7, 10.12, 9.6.17, 9.5.21, and 9.4.26
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b048f558dd7c26a0c630a2cff29d3d8981eaf6b9

Search for package or bug name: Reporting problems