May 19, 2022

Stay Informed

This week, read about:

• Everything We Learned From the LAPSUS$ Attacks.
• Tech Giants Pledge $30M to Boost Open Source Software Security.
• First Look at Portmaster, an Open Source Cross-Platform Network Monitor.

Key Security, Maintenance, and Features Releases
 

Security Updates

PostgreSQL 14.3, 13.7 and 12.11
14.3
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Fix default signature length for gist_ltree_ops indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree columns after installing this update. (Note that GiST indexes on ltree[] columns, that is arrays of ltree, are not affected.)
13.7
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Fix default signature length for gist_ltree_ops indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree columns after installing this update. (Note that GiST indexes on ltree[] columns, that is arrays of ltree, are not affected.)
12.11
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.* in contexts other than the top level of a SELECT list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT, so that the whole-row variable is referring to the sub-SELECT's output and not to a plain table. Then the variable is of type record to begin with and there's no issue.
 

Non-Security Updates

Apache Kafka 3.1.1
[KAFKA-13583] - Fix FetchRequestBetweenDifferentIbpTest flaky tests
[KAFKA-13585] - Fix `kafka.server.ReplicaManagerTest.testReplicaAlterLogDirsWithAndWithoutIds` flaky test
[KAFKA-13637] - User default.api.timeout.ms config as default timeout for KafkaConsumer.endOffsets
[KAFKA-13673] - disable idempotent producer when acks/retries/max.in.flight config conflicts

Apache Tomcat 9.0.63 and 10.0.21
10.0.21
Fix:  65736: Disable the forceString option for the JNDI BeanFactory and replace it with an automatic search for an alternative setter with the same name that accepts a String. This is a security hardening measure. (markt)
Code:  65853: Refactor the CsrfPreventionFilter to make it easier for sub-classes to modify the nonce generation and storage. Based on suggestions by Marvin Fröhlich. (markt)
Fix:  65991: Avoid NPE with SSLAuthenticator when boundOnInit is used on a connector, during the check for client certificate authentication availability. (remm)
Fix:  66009: Use getSubjectX500Principal().toString() rather than getSubjectX500Principal().getName(...) to retrieve a certificate DN, to match the output of the deprecated getSubjectDN().getName() that was used previously. (remm)
9.0.63
Fix:  65736: Disable the forceString option for the JNDI BeanFactory and replace it with an automatic search for an alternative setter with the same name that accepts a String. This is a security hardening measure. (markt)
Code:  65853: Refactor the CsrfPreventionFilter to make it easier for sub-classes to modify the nonce generation and storage. Based on suggestions by Marvin Fröhlich. (markt)
Fix:  65991: Avoid NPE with SSLAuthenticator when boundOnInit is used on a connector, during the check for client certificate authentication availability. (remm)
Fix:  66009: Use getSubjectX500Principal().toString() rather than getSubjectX500Principal().getName(...) to retrieve a certificate DN, to match the output of the deprecated getSubjectDN().getName() that was used previously. (remm)

Kubernetes 1.24.0
Full changelog for this version can be found here: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1230

Rocky Linux 8.6
New system roles
High availability (HA) cluster system role: This role helps create and manage secure, stable HA clusters. It also enables better control when managing multiple clusters.
Enhanced network system role: This role helps users create secure connections (including over Wi-Fi) along with robust firewall rules.
WebConsole role: This role automates the installation and configuration of the Rocky Linux web console, including installing the web console package, starting and enabling the web console, and configuring its settings.