oss-sec mailing list archives
Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection
From: James Addison <james () reciperadar com>
Date: Sun, 16 Feb 2025 18:22:30 +0000
On Sun, Feb 16, 2025 at 4:22 PM Solar Designer <solar () openwall com> wrote:
Hi, As announced on February 13 in: https://www.postgresql.org/about/news/postgresql-173-167-1511-1416-and-1319-released-3015/ https://www.postgresql.org/message-id/173945575457.197393.6175786842655230205%40wrigleys.postgresql.orgThe PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.3, 16.7, 15.11, 14.16, and 13.19. This release fixes 1 security vulnerability and over 70 bugs reported over the last several months. [ ... snip ... ]
For anyone considering upgrading: please note also that the fix for this vulnerability introduced a regression[1] that should be addressed by subsequent upcoming releases of PostgreSQL on Thursday 2025-02-20 (a few days from now). [1] - https://www.postgresql.org/message-id/272abbd9-d24c-49f1-8b61-83721906aa3b () postgresql org
Current thread:
- CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection Solar Designer (Feb 16)
- Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection James Addison (Feb 16)