ALAS2POSTGRESQL13-2025-012

Amazon Linux 2 Security Advisory: ALAS2POSTGRESQL13-2025-012
Advisory Released Date: 2025-09-04
Advisory Updated Date: 2025-09-04

Severity: Important

References: CVE-2025-8713 CVE-2025-8714 CVE-2025-8715
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. (CVE-2025-8713)

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. (CVE-2025-8714)

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it. (CVE-2025-8715)

Affected Packages:

postgresql

Note:

This advisory is applicable to Amazon Linux 2 - Postgresql13 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update postgresql or yum update --advisory ALAS2POSTGRESQL13-2025-012 to update your system.

New Packages:

aarch64:
    postgresql-13.22-1.amzn2.0.1.aarch64
    postgresql-private-libs-13.22-1.amzn2.0.1.aarch64
    postgresql-private-devel-13.22-1.amzn2.0.1.aarch64
    postgresql-server-13.22-1.amzn2.0.1.aarch64
    postgresql-docs-13.22-1.amzn2.0.1.aarch64
    postgresql-contrib-13.22-1.amzn2.0.1.aarch64
    postgresql-server-devel-13.22-1.amzn2.0.1.aarch64
    postgresql-static-13.22-1.amzn2.0.1.aarch64
    postgresql-upgrade-13.22-1.amzn2.0.1.aarch64
    postgresql-upgrade-devel-13.22-1.amzn2.0.1.aarch64
    postgresql-plperl-13.22-1.amzn2.0.1.aarch64
    postgresql-plpython3-13.22-1.amzn2.0.1.aarch64
    postgresql-pltcl-13.22-1.amzn2.0.1.aarch64
    postgresql-test-13.22-1.amzn2.0.1.aarch64
    postgresql-llvmjit-13.22-1.amzn2.0.1.aarch64
    postgresql-debuginfo-13.22-1.amzn2.0.1.aarch64

i686:
    postgresql-13.22-1.amzn2.0.1.i686
    postgresql-private-libs-13.22-1.amzn2.0.1.i686
    postgresql-private-devel-13.22-1.amzn2.0.1.i686
    postgresql-server-13.22-1.amzn2.0.1.i686
    postgresql-docs-13.22-1.amzn2.0.1.i686
    postgresql-contrib-13.22-1.amzn2.0.1.i686
    postgresql-server-devel-13.22-1.amzn2.0.1.i686
    postgresql-static-13.22-1.amzn2.0.1.i686
    postgresql-upgrade-13.22-1.amzn2.0.1.i686
    postgresql-upgrade-devel-13.22-1.amzn2.0.1.i686
    postgresql-plperl-13.22-1.amzn2.0.1.i686
    postgresql-plpython3-13.22-1.amzn2.0.1.i686
    postgresql-pltcl-13.22-1.amzn2.0.1.i686
    postgresql-test-13.22-1.amzn2.0.1.i686
    postgresql-llvmjit-13.22-1.amzn2.0.1.i686
    postgresql-debuginfo-13.22-1.amzn2.0.1.i686

noarch:
    postgresql-test-rpm-macros-13.22-1.amzn2.0.1.noarch

src:
    postgresql-13.22-1.amzn2.0.1.src

x86_64:
    postgresql-13.22-1.amzn2.0.1.x86_64
    postgresql-private-libs-13.22-1.amzn2.0.1.x86_64
    postgresql-private-devel-13.22-1.amzn2.0.1.x86_64
    postgresql-server-13.22-1.amzn2.0.1.x86_64
    postgresql-docs-13.22-1.amzn2.0.1.x86_64
    postgresql-contrib-13.22-1.amzn2.0.1.x86_64
    postgresql-server-devel-13.22-1.amzn2.0.1.x86_64
    postgresql-static-13.22-1.amzn2.0.1.x86_64
    postgresql-upgrade-13.22-1.amzn2.0.1.x86_64
    postgresql-upgrade-devel-13.22-1.amzn2.0.1.x86_64
    postgresql-plperl-13.22-1.amzn2.0.1.x86_64
    postgresql-plpython3-13.22-1.amzn2.0.1.x86_64
    postgresql-pltcl-13.22-1.amzn2.0.1.x86_64
    postgresql-test-13.22-1.amzn2.0.1.x86_64
    postgresql-llvmjit-13.22-1.amzn2.0.1.x86_64
    postgresql-debuginfo-13.22-1.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-8713, CVE-2025-8714, CVE-2025-8715

Mitre: CVE-2025-8713, CVE-2025-8714, CVE-2025-8715