|Related CVEs||CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 CVE-2021-32027|
Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions.
If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist.
An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser.
If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql.
While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.
For Debian 8 jessie, these problems have been fixed in version 9.4.26-0+deb8u4.
We recommend that you upgrade your postgresql-9.4 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/