Описание
Security update for postgresql10
This update for postgresql10 fixes the following issues:
- update to 10.14:
- CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
- CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
- https://www.postgresql.org/docs/10/release-10-14.html
Список пакетов
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Server for SAP Applications 15
Ссылки
- Link for SUSE-SU-2020:2264-1
- E-Mail link for SUSE-SU-2020:2264-1
- SUSE Security Ratings
- SUSE Bug 1175193
- SUSE Bug 1175194
- SUSE CVE CVE-2020-14349 page
- SUSE CVE CVE-2020-14350 page
Описание
It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.
Затронутые продукты
Ссылки
- CVE-2020-14349
- SUSE Bug 1175193
- SUSE Bug 1176151
- SUSE Bug 1179499
- SUSE Bug 1179870
Описание
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
Затронутые продукты
Ссылки
- CVE-2020-14350
- SUSE Bug 1175194
- SUSE Bug 1176151
- SUSE Bug 1179115
- SUSE Bug 1179499
- SUSE Bug 1179870