Multiple vulnerabilites found in che-postgres image

[jenia90]

Describe the bug

As described in #19646 and following one of the recent community meetings, there are multiple vulnerabilities found in some of the images. Here's a list of vulnerabilities found in the postgres images:

• Type: VULNERABILITY
  Name: RHSA-2020:3916
  CVSS Score v3: 9.8
  Severity: critical
  Description: An update for curl is now available for Red Hat Enterprise Linux 7.
  Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
  The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
  Security Fix(es):

• curl: heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
  For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
  Additional Changes:
  For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
  This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
  curl: heap buffer overflow in function tftp_receive_packet(). Impacted Image File(s):

• Type: VULNERABILITY
  Name: RHSA-2020:4076
  CVSS Score v3: 9.8
  Severity: critical
  Description: An update for nss, nss-softokn, nss-util, and nspr is now available for Red Hat Enterprise Linux 7.
  Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
  Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
  Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.
  The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273)
  Security Fix(es):

• nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)
• nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)
• nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)
• nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)
• nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400)
• nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)
• nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)
• nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)
• nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)
• nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)
  For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
  Bug Fix(es):
• Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958)
• NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924)
• Make TLS 1.3 work in FIPS mode (BZ#1724251)
• Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910)
• x25519 allowed in FIPS mode (BZ#1754518)
• When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325)
• Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015)
• nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308)
• KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)
  This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
  nss: Out-of-bounds read when importing curve25519 private key
  nss: PKCS#1 v1.5 signatures can be used for TLS 1.3
  nss: Use-after-free in sftk_FreeSession due to improper refcounting
  nss: Check length of inputs for cryptographic primitives
  nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state
  nss: Side channel attack on ECDSA signature generation
  nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
  nss: ECDSA timing attack mitigation bypass
  nss: Side channel vulnerabilities during RSA key generation
  nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read. Impacted Image File(s):

• Type: VULNERABILITY
  Name: RHSA-2020:3978
  CVSS Score v3: 9.8
  Severity: critical
  Description: An update for glib2 and ibus is now available for Red Hat Enterprise Linux 7.
  Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
  GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.
  The Intelligent Input Bus (IBus) is an input method framework for multilingual input in Unix-like operating systems.
  Security Fix(es):

• glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress (CVE-2019-12450)
• ibus: missing authorization allows local attacker to access the input bus of another user (CVE-2019-14822)
  For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
  Additional Changes:
  For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
  This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
  glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress
  ibus: missing authorization allows local attacker to access the input bus of another user.

[tolusha]

We moved to a new PostgreSQL 13.3 image
#20246