Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN752 _____________________________________________________________________ DATE : 30/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Tanzu Greenplum, VMware Tanzu for Postgres on Kubernetes, VMware Tanzu for Postgres. ===================================================================== https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36277 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36282 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36283 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36284 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36281 _____________________________________________________________________ Product Release Advisory - VMware Tanzu Greenplum 7.6.0 Product/Component VMware Tanzu Data Intelligence VMware Tanzu Data Suite VMware Tanzu Greenplum Notification Id 36277 Last Updated 29 October 2025 Initial Publication Date 29 October 2025 Status CLOSED Severity CRITICAL CVSS Base Score 9.3 WorkAround Affected CVE Security Advisory Advisory ID: TNZ-2025-0130 Severity: Critical Issue Date: 2025-10-29 Updated on: 2025-10-29 Synopsis VMware Tanzu Greenplum 7.6.0 addresses the following security vulnerabilities. Product Version Release Advisory VMware Tanzu Greenplum 7.6.0 includes the following component updates: VMware Tanzu Greenplum 7.6.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum/7/greenplum-database/cve-gpdb.html Tanzu Greenplum Disaster Recovery 1.4.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum-disaster-recovery/1-4/gp-disaster-recovery/cve-gpdr.html Tanzu Greenplum Platform Extension Framework 7.1.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum-platform-extension-framework/7-1-0/gp-pxf/cve-pxf.html Security Fixes This release has the following security fixes, listed by component and area. Component Vulnerabilities Resolved vmware-greenplum GHSA-6v2p-p543-phr9 (high) Tanzu Greenplum Extensions GHSA-x4wf-678h-2pmq (critical) GHSA-hrfv-mqp8-q5rw (high) Tanzu Greenplum Disaster Recovery CVE-2025-4674 (high) CVE-2025-22874 (high) CVE-2025-47907 (high) CVE-2025-4673 (medium) CVE-2025-47906 (medium) CVE-2025-0913 (medium) Tanzu Greenplum platform extension framework CVE‑2024‑24786 (high) CVE‑2025‑4674 (high) History 2025-10-29: Initial vulnerability report published. Contact E-mail: tanzu.psirt@broadcom.com VMware Tanzu Security Advisories https://tanzu.vmware.com/security _____________________________________________________________________ Product Release Advisory - VMware Tanzu for Postgres on Kubernetes 4.3.1 Product/Component VMware Tanzu Data Intelligence VMware Tanzu Data Services VMware Tanzu Data Services Pack VMware Tanzu Data Services Solutions VMware Tanzu Data Suite VMware Tanzu for Postgres VMware Tanzu Platform Vmware Tanzu Platform - SM VMware Tanzu SQL Notification Id 36282 Last Updated 29 October 2025 Initial Publication Date 29 October 2025 Status CLOSED Severity HIGH CVSS Base Score WorkAround Affected CVE Product Release Advisory Advisory ID: TNZ-2025-0132 Severity: High Issue Date: 2025-10-29 Updated on: 2025-10-29 Synopsys We have bumped go versions and related dependencies to the latest versions which resulted in 5 CVEs fixed. Product Version Release Advisory VMware Tanzu for Postgres on Kubernetes 4.3.1 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres-on-kubernetes/4-3/tnz-postgres-k8s/index.html Security Fixes This release has the following security fixes, listed by component and area. Component Vulnerabilities Resolved tanzu-postgres-kubernetes CVE-2025-8941 (high) CVE-2025-5914 (high) CVE-2025-6020 (high) CVE-2025-8194 (high) CVE-2025-9231 (medium) History 2025-10-29: Initial vulnerability report published. Contact E-mail: tanzu.psirt@broadcom.com VMware Tanzu Security Advisories: https://tanzu.vmware.com/security _____________________________________________________________________ Product Release Advisory - VMware Tanzu for Postgres on Kubernetes 4.2.4 Product/Component VMware Tanzu Data Intelligence VMware Tanzu Data Services VMware Tanzu Data Services Pack VMware Tanzu Data Services Solutions VMware Tanzu Data Suite VMware Tanzu for Postgres VMware Tanzu Platform Vmware Tanzu Platform - SM VMware Tanzu SQL Notification Id 36283 Last Updated 29 October 2025 Initial Publication Date 29 October 2025 Status CLOSED Severity HIGH CVSS Base Score WorkAround Affected CVE Product Release Advisory Advisory ID: TNZ-2025-0133 Severity: High Issue Date: 2025-10-29 Updated on: 2025-10-29 Synopsys Postgres Operator Migration from pg_autofailover to patroni, TDS package support, and Performance Optimizations which resulted in 11 CVEs fixed. Product Version Release Advisory VMware Tanzu for Postgres on Kubernetes 4.2.4 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres-on-kubernetes/4-2/tnz-postgres-k8s/index.html Security Fixes This release has the following security fixes, listed by component and area. Component Vulnerabilities Resolved tanzu-postgres-kubernetes CVE-2025-8194 (high) CVE-2025-9230 (high) CVE-2025-6020 (high) CVE-2025-8941 (high) CVE-2025-9232 (medium) CVE-2025-32988 (medium) CVE-2025-9231 (medium) CVE-2025-32990 (medium) CVE-2025-32989 (medium) CVE-2025-47910 (medium) CVE-2025-6395 (medium) History 2025-10-29: Initial vulnerability report published. Contact E-mail: tanzu.psirt@broadcom.com VMware Tanzu Security Advisories: https://tanzu.vmware.com/security _____________________________________________________________________ Product Release Advisory - VMware Tanzu for Postgres 18.0.0, 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22.0 Product/Component VMware Tanzu Data Intelligence VMware Tanzu Data Services VMware Tanzu Data Services Pack VMware Tanzu Data Services Solutions VMware Tanzu Data Suite VMware Tanzu for Postgres VMware Tanzu SQL Notification Id 36284 Last Updated 29 October 2025 Initial Publication Date 29 October 2025 Status CLOSED Severity HIGH CVSS Base Score WorkAround Affected CVE Product Release Advisory Advisory ID: TNZ-2025-0134 Severity: High Issue Date: 2025-10-29 Updated on: 2025-10-29 Synopsys Bumped multiple dependencies updates which resulted in 15 CVEs remediated in this release. Product Version Release Advisory VMware Tanzu for Postgres 18.0.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres/18-0/tnz-postgres/release-notes.html VMware Tanzu for Postgres 17.6.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres/17-6/tnz-postgres/release-notes.html VMware Tanzu for Postgres 16.10.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres/16-10/tnz-postgres/release-notes.html VMware Tanzu for Postgres 15.14.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres/15-14/tnz-postgres/release-notes.html VMware Tanzu for Postgres 14.19.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres/14-19/tnz-postgres/release-notes.html VMware Tanzu for Postgres 13.22.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-for-postgres/13-22/tnz-postgres/release-notes.html Security Fixes This release has the following security fixes, listed by component and area. Component Vulnerabilities Resolved VMware Tanzu for Postgres 17.6.0 CVE-2025-8714 (high) CVE-2025-8715 (high) CVE-2025-8713 (low) VMware Tanzu for Postgres 16.10.0 CVE-2025-8714 (high) CVE-2025-8715 (high) CVE-2025-8713 (low) VMware Tanzu for Postgres 15.14.0 CVE-2025-8714 (high) CVE-2025-8715 (high) CVE-2025-8713 (low) VMware Tanzu for Postgres 14.19.0 CVE-2025-8714 (high) CVE-2025-8715 (high) CVE-2025-8713 (low) VMware Tanzu for Postgres 13.22.0 CVE-2025-8714 (high) CVE-2025-8715 (high) CVE-2025-8713 (low) History 2025-10-29: Initial vulnerability report published. Contact E-mail: tanzu.psirt@broadcom.com VMware Tanzu Security Advisories: https://tanzu.vmware.com/security _____________________________________________________________________ Product Release Advisory - VMware Tanzu Greenplum 6.31.0 Product/Component VMware Tanzu Data Intelligence VMware Tanzu Data Suite VMware Tanzu Greenplum Notification Id 36281 Last Updated 29 October 2025 Initial Publication Date 29 October 2025 Status CLOSED Severity CRITICAL CVSS Base Score 9.8 WorkAround Affected CVE Security Advisory Advisory ID: TNZ-2025-0131 Severity: Critical Issue Date: 2025-10-29 Updated on: 2025-10-29 Synopsis VMware Tanzu Greenplum 6.31.0 addresses the following security vulnerabilities. Product Version Release Advisory VMware Tanzu Greenplum 6.31.0 includes the following component updates: VMware Tanzu Greenplum 6.31.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum/6/greenplum-database/cve-gpdb.html Tanzu Greenplum Disaster Recovery 1.4.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum-disaster-recovery/1-4/gp-disaster-recovery/cve-gpdr.html Tanzu Greenplum Platform Extension Framework 7.1.0 https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum-platform-extension-framework/7-1-0/gp-pxf/cve-pxf.html Security Fixes This release has the following security fixes, listed by component and area. Component Vulnerabilities Resolved vmware-greenplum CVE-2025-49796 (critical) CVE-2025-49794 (critical) CVE-2025-32911 (critical) CVE-2025-43272 (medium) CVE-2025-43212 (medium) CVE-2024-44192 (medium) CVE-2025-43368 (medium) CVE-2022-39176 (high) CVE-2025-31278 (high) CVE-2020-26559 (high) CVE-2025-43342 (critical) CVE-2025-9900 (high) CVE-2025-6558 (high) CVE-2025-30427 (medium) CVE-2025-43343 (critical) CVE-2025-43216 (medium) CVE-2025-24216 (medium) CVE-2025-24150 (high) CVE-2025-31273 (high) CVE-2025-31257 (medium) CVE-2025-24209 (high) CVE-2025-50059 (high) CVE-2025-52194 (high) CVE-2025-50106 (high) CVE-2025-30749 (high) CVE-2020-26560 (high) CVE-2021-31535 (critical) CVE-2025-58060 (high) CVE-2025-6020 (high) CVE-2024-46952 (high) CVE-2022-44840 (high) CVE-2025-8176 (medium) CVE-2024-46951 (high) CVE-2024-55549 (high) CVE-2025-7425 (high) CVE-2024-46953 (high) CVE-2024-53920 (high) CVE-2024-46956 (high) CVE-2024-4453 (high) CVE-2025-8941 (high) CVE-2019-25059 (high) CVE-2024-46954 (high) CVE-2025-6965 (high) CVE-2025-4948 (high) GHSA-6v2p-p543-phr9 (high) CVE-2023-24607 (high) CVE-2025-6021 (high) CVE-2025-32906 (high) CVE-2024-0444 (high) CVE-2020-26557 (high) CVE-2023-46751 (high) CVE-2025-32415 (high) CVE-2025-7345 (high) CVE-2025-32913 (high) CVE-2021-3826 (medium) CVE-2020-26556 (high) CVE-2025-11021 (high) CVE-2023-52355 (high) CVE-2017-17973 (high) CVE-2024-8176 (high) CVE-2023-52356 (high) CVE-2025-22874 (high) CVE-2025-32049 (high) CVE-2021-38593 (high) CVE-2022-4055 (high) CVE-2025-32914 (high) CVE-2025-21587 (high) CVE-2025-5914 (high) CVE-2025-47273 (high) CVE-2023-48161 (high) CVE-2005-2541 (high) CVE-2023-4504 (high) CVE-2025-5222 (high) CVE-2025-4802 (high) CVE-2024-52533 (critical) CVE-2023-1579 (high) CVE-2025-2784 (high) CVE-2023-2222 (n/a) CVE-2022-30294 (n/a) CVE-2023-2004 (n/a) CVE-2025-2720 (n/a) CVE-2025-2724 (n/a) CVE-2021-32256 (medium) CVE-2025-2723 (n/a) PL/Container Python3 Image CVE-2025-4517 (critical) CVE-2024-12718 (medium) CVE-2025-9288 (critical) CVE-2023-37920 (high) GHSA-q2x7-8rv6-6q7h (medium) GHSA-4vmg-rw8f-92f9 (critical) GHSA-f73w-4m7g-ch9x (critical) CVE-2025-8941 (high) CVE-2025-6965 (high) CVE-2022-44840 (high) CVE-2021-45078 (high) CVE-2025-6020 (high) CVE-2025-7425 (high) GHSA-hrfv-mqp8-q5rw (medium) GHSA-x4wf-678h-2pmq (critical) PL/Container R Image CVE-2022-39176 (high) CVE-2022-39177 (high) CVE-2020-26559 (high) CVE-2025-49796 (critical) CVE-2025-32911 (critical) CVE-2025-7425 (high) CVE-2025-9288 (critical) CVE-2025-4517 (critical) CVE-2024-12718 (medium) CVE-2021-3826 (medium) CVE-2023-24607 (high) CVE-2021-38593 (high) CVE-2023-52356 (high) CVE-2023-52355 (high) CVE-2023-46751 (high) CVE-2024-0444 (high) CVE-2025-50059 (high) Tanzu Greenplum Extensions GHSA-x4wf-678h-2pmq (critical) GHSA-hrfv-mqp8-q5rw (high) Tanzu Greenplum Disaster Recovery CVE-2025-4674 (high) CVE-2025-22874 (high) CVE-2025-47907 (high) CVE-2025-4673 (medium) CVE-2025-47906 (medium) CVE-2025-0913 (medium) Tanzu Greenplum Platform Extension Framework CVE‑2024‑24786 (high) CVE‑2025‑4674 (high) History 2025-10-29: Initial vulnerability report published. Contact E-mail: tanzu.psirt@broadcom.com VMware Tanzu Security Advisories https://tanzu.vmware.com/security ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================