반응형
취약점 해소를 위한 DB Minor 패치 진행한 내용을 정리한 것입니다.
OS version은 redhat 9이며 dnf (yum)을 사용하여 진행하였습니다.
취약점은 CVE-2025-1094이고 내용은 특정상황에서 SQL injection이 발생할 수 있다는 이야기이고, 해소를 위해서는 최신버전으로 업그레이드를 진행해야 합니다.
https://www.postgresql.org/support/security/CVE-2025-1094/
PostgreSQL: CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
CVE-2025-1094 PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStr
www.postgresql.org
fix 버전( 2025년 2월 13일 배포 된 최신버전입니다. )
Minor Patch는 엔진만 새로 설치하면 되는 부분이라 간단합니다.
패치순서입니다.
1) db down
2) 기존엔진 백업
3) dnf 로 update
4)db 기동
5) 확인
1) db down
버전은 16.6인것을 확인합니다.
# su - postgres
Last login: Wed Feb 19 00:40:06 UTC 2025 on pts/0
[postgres@ip-172-31-45-50 ~]$ psql
psql (16.6)
Type "help" for help.
postgres=# select version();
version
----------------------------------------------------------------------------------------------------------
PostgreSQL 16.6 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-2), 64-bit
(1 row)
db를 down 합니다.
[root로 수행]
# systemctl stop postgresql-16
# ps -ef |grep postgres
root 6456 4074 0 01:06 pts/0 00:00:00 grep --color=auto postgres
2)기존엔진 백업
엔진의 경로는 /usr 밑에 pgsql- 로시작되는 디렉토리 내에 있습니다.
# cd /usr
# mv pgsql-16 pgsql-16_250219
#ls
- bin games include lib lib64 libexec local pgsql-16_250219 sbin share src tmp
3) dnf 로 update
업그레이드 전에 현재버전의 설치가능한 버전들을 확인합니다.
맨 마지막에 16.7이 보이는 것을 확인합니다.
# dnf list --showduplicates postgresql16-server
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:24:51 ago on Wed 19 Feb 2025 12:38:25 AM UTC.
Installed Packages
postgresql16-server.x86_64 16.6-1PGDG.rhel9 @pgdg16
Available Packages
postgresql16-server.x86_64 16.0-1PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.1-1PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.1-2PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.2-1PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.3-1PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.4-1PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.5-1PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.6-1PGDG.rhel9 pgdg16
postgresql16-server.x86_64 16.7-1PGDG.rhel9
dnf install 명령어를 이용해 16.7엔진을 설치합니다.
# dnf install -y postgresql16-server-16.7-1PGDG.rhel9
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:30:58 ago on Wed 19 Feb 2025 12:38:25 AM UTC.
Dependencies resolved.
=========================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================
Upgrading:
postgresql16 x86_64 16.7-1PGDG.rhel9 pgdg16 1.8 M
postgresql16-libs x86_64 16.7-1PGDG.rhel9 pgdg16 334 k
postgresql16-server x86_64 16.7-1PGDG.rhel9 pgdg16 6.8 M
Transaction Summary
=========================================================================================================================
Upgrade 3 Packages
Total download size: 8.9 M
Downloading Packages:
(1/3): postgresql16-libs-16.7-1PGDG.rhel9.x86_64.rpm 172 kB/s | 334 kB 00:01
(2/3): postgresql16-16.7-1PGDG.rhel9.x86_64.rpm 581 kB/s | 1.8 MB 00:03
(3/3): postgresql16-server-16.7-1PGDG.rhel9.x86_64.rpm 1.6 MB/s | 6.8 MB 00:04
-------------------------------------------------------------------------------------------------------------------------
Total 2.1 MB/s | 8.9 MB 00:04
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : postgresql16-libs-16.7-1PGDG.rhel9.x86_64 1/6
Running scriptlet: postgresql16-libs-16.7-1PGDG.rhel9.x86_64 1/6
Upgrading : postgresql16-16.7-1PGDG.rhel9.x86_64 2/6
Running scriptlet: postgresql16-16.7-1PGDG.rhel9.x86_64 2/6
Running scriptlet: postgresql16-server-16.7-1PGDG.rhel9.x86_64 3/6
Upgrading : postgresql16-server-16.7-1PGDG.rhel9.x86_64 3/6
Running scriptlet: postgresql16-server-16.7-1PGDG.rhel9.x86_64 3/6
Running scriptlet: postgresql16-server-16.6-1PGDG.rhel9.x86_64 4/6
Cleanup : postgresql16-server-16.6-1PGDG.rhel9.x86_64 4/6
Running scriptlet: postgresql16-server-16.6-1PGDG.rhel9.x86_64 4/6
Cleanup : postgresql16-16.6-1PGDG.rhel9.x86_64 5/6
Running scriptlet: postgresql16-16.6-1PGDG.rhel9.x86_64 5/6
Cleanup : postgresql16-libs-16.6-1PGDG.rhel9.x86_64 6/6
Running scriptlet: postgresql16-libs-16.6-1PGDG.rhel9.x86_64 6/6
Verifying : postgresql16-16.7-1PGDG.rhel9.x86_64 1/6
Verifying : postgresql16-16.6-1PGDG.rhel9.x86_64 2/6
Verifying : postgresql16-libs-16.7-1PGDG.rhel9.x86_64 3/6
Verifying : postgresql16-libs-16.6-1PGDG.rhel9.x86_64 4/6
Verifying : postgresql16-server-16.7-1PGDG.rhel9.x86_64 5/6
Verifying : postgresql16-server-16.6-1PGDG.rhel9.x86_64 6/6
Installed products updated.
Upgraded:
postgresql16-16.7-1PGDG.rhel9.x86_64 postgresql16-libs-16.7-1PGDG.rhel9.x86_64
postgresql16-server-16.7-1PGDG.rhel9.x86_64
Complete!
4)db 기동
# systemctl start postgresql-16
# ps -ef |grep postgres
postgres 6671 1 0 01:09 ? 00:00:00 /usr/pgsql-16/bin/postgres -D /var/lib/pgsql/16/data/
postgres 6672 6671 0 01:09 ? 00:00:00 postgres: logger
postgres 6673 6671 0 01:09 ? 00:00:00 postgres: checkpointer
postgres 6674 6671 0 01:09 ? 00:00:00 postgres: background writer
postgres 6676 6671 0 01:09 ? 00:00:00 postgres: walwriter
postgres 6677 6671 0 01:09 ? 00:00:00 postgres: autovacuum launcher
postgres 6678 6671 0 01:09 ? 00:00:00 postgres: logical replication launcher
root 6682 4074 0 01:10 pts/0 00:00:00 grep --color=auto postgres
5)확인
# su - postgres
Last login: Wed Feb 19 01:06:26 UTC 2025 on pts/0
$ psql
psql (16.7)
Type "help" for help.
postgres=# select version();
version
----------------------------------------------------------------------------------------------------------
PostgreSQL 16.7 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-2), 64-bit
(1 row)
버전이 16.7로 잘 업그레이드 된것을 확인하였습니다.
엔진설치가 복잡하지 않은 DB라 간단히 minor patch를 진행할 수 있네요.
감사합니다.
반응형
'스터디 > PostgreSQL' 카테고리의 다른 글
| Object - 테이블, 테이블파티셔닝, 인덱스 (0) | 2024.03.29 |
|---|---|
| Object - 데이터베이스,테이블스페이스,스키마 (2) | 2024.01.10 |
| Object - Role 과 권한 (2) | 2023.12.27 |
| PostgresSQL 아키텍쳐 (2) | 2023.11.30 |
댓글