[CVE] Postgresql

romainr · Nov 6, 2023

Hello

Our security tool report that there is cve on postgresql despite that there is no update available on the proxmox mail gateway :

Code:

proxmox-mailgateway: 8.0.1
pmg-api: 8.0.7
pmg-gui: 4.0.2
pve-kernel-6.2: 8.0.5
proxmox-kernel-helper: 8.0.3
proxmox-kernel-6.2.16-19-pve: 6.2.16-19
proxmox-kernel-6.2: 6.2.16-19
proxmox-kernel-6.2.16-18-pve: 6.2.16-18
proxmox-kernel-6.2.16-12-pve: 6.2.16-12
pve-kernel-6.2.16-3-pve: 6.2.16-3
clamav-daemon: 1.0.3+dfsg-1~deb12u1
ifupdown2: 3.2.0-1+pmx5
libarchive-perl: 3.6.2
libjs-extjs: 7.0.0-4
libjs-framework7: 4.4.7-2
libproxmox-acme-perl: 1.4.6
libproxmox-acme-plugins: 1.4.6
libpve-apiclient-perl: 3.3.0
libpve-common-perl: 8.0.9
libpve-http-server-perl: 5.0.4
libxdgmime-perl: 1.1.0
lvm2: 2.03.16-2
pmg-docs: 8.0.1
pmg-i18n: 3.0.7
pmg-log-tracker: 2.4.1
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.2
proxmox-spamassassin: 4.0.0-4
proxmox-widget-toolkit: 4.0.9
pve-firmware: 3.8-3
pve-xtermjs: 4.16.0-3
zfsutils-linux: 2.1.13-pve1

Stoiko Ivanov · Nov 6, 2023

Seems Debian Bookworm has not provided an update for both yet:
https://security-tracker.debian.org/tracker/CVE-2023-39417

However from a quick glance -PMG neither uses the MERGE command (CVE-2023-39418) , nor does it install any extensions - and the only user it creates with CREATE database permissions is root (and if root is compromised ...the whole system is compromised).

So for the time being I think that there is no urgent need for an update on a regular PMG system.

I hope this helps!

Search

Search

[CVE] Postgresql

romainr

Member

Stoiko Ivanov

Proxmox Staff Member