Описание
Security update for postgresql10
This update for postgresql10 fixes the following issues:
-
Upgrade to 10.22:
-
CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
-
Upgrade to 10.21:
-
CVE-2022-1552: Confined additional operations within 'security restricted operation' sandboxes (bsc#1199475).
-
Upgrade to 10.20 (bsc#1195680)
-
Add constraints file with 12GB of memory for s390x as a workaround (boo#1190740)
-
Upgrade to version 10.19 (bsc#1192516):
-
CVE-2021-23214: Made the server reject extraneous data after an SSL or GSS encryption handshake
-
CVE-2021-23222: Made libpq reject extraneous data after an SSL or GSS encryption handshake
-
Fix for build with llvm12 on s390x. (bsc#1185952)
-
Re-enable 'icu' for PostgreSQL 10. (bsc#1179945)
-
Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751)
-
Upgrade to version 10.18. (bsc#1190177)
Список пакетов
SUSE Enterprise Storage 6
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise Server 15 SP1-BCL
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Server for SAP Applications 15
SUSE Linux Enterprise Server for SAP Applications 15 SP1
Ссылки
- Link for SUSE-SU-2022:2893-1
- E-Mail link for SUSE-SU-2022:2893-1
- SUSE Security Ratings
- SUSE Bug 1179945
- SUSE Bug 1183168
- SUSE Bug 1185952
- SUSE Bug 1187751
- SUSE Bug 1190177
- SUSE Bug 1190740
- SUSE Bug 1192516
- SUSE Bug 1195680
- SUSE Bug 1199475
- SUSE Bug 1202368
- SUSE CVE CVE-2021-23214 page
- SUSE CVE CVE-2021-23222 page
- SUSE CVE CVE-2022-1552 page
- SUSE CVE CVE-2022-2625 page
Описание
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
Затронутые продукты
Ссылки
- CVE-2021-23214
- SUSE Bug 1192516
Описание
A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
Затронутые продукты
Ссылки
- CVE-2021-23222
- SUSE Bug 1192516
Описание
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.
Затронутые продукты
Ссылки
- CVE-2022-1552
- SUSE Bug 1199475
Описание
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
Затронутые продукты
Ссылки
- CVE-2022-2625
- SUSE Bug 1202368