ALAS2POSTGRESQL13-2025-010

Amazon Linux 2 Security Advisory: ALAS2POSTGRESQL13-2025-010
Advisory Released Date: 2025-03-06
Advisory Updated Date: 2025-03-06

Severity: Important

References: CVE-2025-1094
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected. (CVE-2025-1094)

Affected Packages:

libpq

Note:

This advisory is applicable to Amazon Linux 2 - Postgresql13 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update libpq to update your system.

New Packages:

aarch64:
    libpq-13.20-1.amzn2.0.1.aarch64
    libpq-devel-13.20-1.amzn2.0.1.aarch64
    libpq-debuginfo-13.20-1.amzn2.0.1.aarch64

i686:
    libpq-13.20-1.amzn2.0.1.i686
    libpq-devel-13.20-1.amzn2.0.1.i686
    libpq-debuginfo-13.20-1.amzn2.0.1.i686

src:
    libpq-13.20-1.amzn2.0.1.src

x86_64:
    libpq-13.20-1.amzn2.0.1.x86_64
    libpq-devel-13.20-1.amzn2.0.1.x86_64
    libpq-debuginfo-13.20-1.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-1094

Mitre: CVE-2025-1094