ALAS2-2025-2866

Amazon Linux 2 Security Advisory: ALAS2-2025-2866
Advisory Released Date: 2025-05-29
Advisory Updated Date: 2025-05-29
Severity: Important
Issue Overview:

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected. (CVE-2025-1094)


Affected Packages:

postgresql


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update postgresql to update your system.

New Packages:
aarch64:
    postgresql-9.2.24-8.amzn2.0.6.aarch64
    postgresql-libs-9.2.24-8.amzn2.0.6.aarch64
    postgresql-server-9.2.24-8.amzn2.0.6.aarch64
    postgresql-docs-9.2.24-8.amzn2.0.6.aarch64
    postgresql-contrib-9.2.24-8.amzn2.0.6.aarch64
    postgresql-devel-9.2.24-8.amzn2.0.6.aarch64
    postgresql-static-9.2.24-8.amzn2.0.6.aarch64
    postgresql-upgrade-9.2.24-8.amzn2.0.6.aarch64
    postgresql-plperl-9.2.24-8.amzn2.0.6.aarch64
    postgresql-plpython-9.2.24-8.amzn2.0.6.aarch64
    postgresql-pltcl-9.2.24-8.amzn2.0.6.aarch64
    postgresql-test-9.2.24-8.amzn2.0.6.aarch64
    postgresql-debuginfo-9.2.24-8.amzn2.0.6.aarch64

i686:
    postgresql-9.2.24-8.amzn2.0.6.i686
    postgresql-libs-9.2.24-8.amzn2.0.6.i686
    postgresql-server-9.2.24-8.amzn2.0.6.i686
    postgresql-docs-9.2.24-8.amzn2.0.6.i686
    postgresql-contrib-9.2.24-8.amzn2.0.6.i686
    postgresql-devel-9.2.24-8.amzn2.0.6.i686
    postgresql-static-9.2.24-8.amzn2.0.6.i686
    postgresql-upgrade-9.2.24-8.amzn2.0.6.i686
    postgresql-plperl-9.2.24-8.amzn2.0.6.i686
    postgresql-plpython-9.2.24-8.amzn2.0.6.i686
    postgresql-pltcl-9.2.24-8.amzn2.0.6.i686
    postgresql-test-9.2.24-8.amzn2.0.6.i686
    postgresql-debuginfo-9.2.24-8.amzn2.0.6.i686

src:
    postgresql-9.2.24-8.amzn2.0.6.src

x86_64:
    postgresql-9.2.24-8.amzn2.0.6.x86_64
    postgresql-libs-9.2.24-8.amzn2.0.6.x86_64
    postgresql-server-9.2.24-8.amzn2.0.6.x86_64
    postgresql-docs-9.2.24-8.amzn2.0.6.x86_64
    postgresql-contrib-9.2.24-8.amzn2.0.6.x86_64
    postgresql-devel-9.2.24-8.amzn2.0.6.x86_64
    postgresql-static-9.2.24-8.amzn2.0.6.x86_64
    postgresql-upgrade-9.2.24-8.amzn2.0.6.x86_64
    postgresql-plperl-9.2.24-8.amzn2.0.6.x86_64
    postgresql-plpython-9.2.24-8.amzn2.0.6.x86_64
    postgresql-pltcl-9.2.24-8.amzn2.0.6.x86_64
    postgresql-test-9.2.24-8.amzn2.0.6.x86_64
    postgresql-debuginfo-9.2.24-8.amzn2.0.6.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2025-1094

Mitre: CVE-2025-1094