Описание
Security update for postgresql96
This update for postgresql96 fixes the following issues:
Security issues fixed:
- CVE-2017-15098: Fix crash due to rowtype mismatch in json{b}_populate_recordset() (bsc#1067844).
- CVE-2017-15099: Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (bsc#1067841).
Bug fixes:
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Desktop 12 SP3
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server 12 SP3
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP3
SUSE Linux Enterprise Software Development Kit 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP3
Ссылки
- Link for SUSE-SU-2017:3391-1
- E-Mail link for SUSE-SU-2017:3391-1
- SUSE Security Ratings
- SUSE Bug 1067841
- SUSE Bug 1067844
- SUSE CVE CVE-2017-15098 page
- SUSE CVE CVE-2017-15099 page
Описание
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
Затронутые продукты
Ссылки
- CVE-2017-15098
- SUSE Bug 1067844
- SUSE Bug 1185814
Описание
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
Затронутые продукты
Ссылки
- CVE-2017-15099
- SUSE Bug 1067841