Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2020:3425-1

Опубликовано: 19 нояб. 2020
Источник: suse-cvrf

Описание

Security update for postgresql12

This update for postgresql12 fixes the following issues:

  • Upgrade to version 12.5:
    • CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries.
    • CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used.
    • CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables.
    • Fix recently-added timetz test case so it works when the USA is not observing daylight savings time.
    • https://www.postgresql.org/about/news/2111/
    • https://www.postgresql.org/docs/12/release-12-5.html

Список пакетов

Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server
libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server
libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server
libpq5-12.5-3.15.1
SUSE Linux Enterprise Module for Basesystem 15 SP1
libpq5-12.5-3.15.1
libpq5-32bit-12.5-3.15.1
postgresql12-12.5-3.15.1
SUSE Linux Enterprise Module for Server Applications 15 SP1
libecpg6-12.5-3.15.1
postgresql12-contrib-12.5-3.15.1
postgresql12-devel-12.5-3.15.1
postgresql12-docs-12.5-3.15.1
postgresql12-plperl-12.5-3.15.1
postgresql12-plpython-12.5-3.15.1
postgresql12-pltcl-12.5-3.15.1
postgresql12-server-12.5-3.15.1
postgresql12-server-devel-12.5-3.15.1

Ссылки

Описание

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Затронутые продукты
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:libpq5-12.5-3.15.1
SUSE Linux Enterprise Module for Basesystem 15 SP1:libpq5-12.5-3.15.1
Ссылки

Описание

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Затронутые продукты
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:libpq5-12.5-3.15.1
SUSE Linux Enterprise Module for Basesystem 15 SP1:libpq5-12.5-3.15.1
Ссылки

Описание

A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Затронутые продукты
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:libpq5-12.5-3.15.1
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:libpq5-12.5-3.15.1
SUSE Linux Enterprise Module for Basesystem 15 SP1:libpq5-12.5-3.15.1
Ссылки
Уязвимость SUSE-SU-2020:3425-1