Debian 9948 Published by

A postgresql-13 security update has been released for Debian GNU/Linux 11 to address several vulnerabilities.

[SECURITY] [DSA 5554-1] postgresql-13 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5554-1 Salvatore Bonaccorso
November 13, 2023
- -------------------------------------------------------------------------

Package : postgresql-13
CVE ID : CVE-2023-5868 CVE-2023-5869 CVE-2023-5870 CVE-2023-39417

Several vulnerabilities have been discovered in the PostgreSQL
database system.


Jingzhou Fu discovered a memory disclosure flaw in aggregate
function calls.


Pedro Gallegos reported integer overflow flaws resulting in buffer
overflows in the array modification functions.


Hemanth Sandrana and Mahendrakar Srinivasarao reported that the
pg_cancel_backend role can signal certain superuser processes,
potentially resulting in denial of service.


Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg
reported that an extension script using @substitutions@ within
quoting may allow to perform an SQL injection for an attacker having
database-level CREATE privileges.

For the oldstable distribution (bullseye), these problems have been
fixed in version 13.13-0+deb11u1.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to its
security tracker page at:

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: