Описание
Security update for postgresql15
This update for postgresql15 fixes the following issues:
Updated to version 15.3:
- CVE-2023-2454: Fixed an issue where a user having permission to create a schema could hijack the privileges of a security definer function or extension script (bsc#1211228).
- CVE-2023-2455: Fixed an issue that could allow a user to see or modify rows that should have been invisible (bsc#1211229).
- Internal fixes (bsc#1210303).
Список пакетов
SUSE Linux Enterprise Server 12 SP2-BCL
SUSE Linux Enterprise Server 12 SP4-ESPOS
SUSE Linux Enterprise Server 12 SP4-LTSS
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP4
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Linux Enterprise Software Development Kit 12 SP5
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
Ссылки
- Link for SUSE-SU-2023:2206-1
- E-Mail link for SUSE-SU-2023:2206-1
- SUSE Security Ratings
- SUSE Bug 1210303
- SUSE Bug 1211228
- SUSE Bug 1211229
- SUSE CVE CVE-2023-2454 page
- SUSE CVE CVE-2023-2455 page
Описание
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
Затронутые продукты
Ссылки
- CVE-2023-2454
- SUSE Bug 1211228
Описание
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Затронутые продукты
Ссылки
- CVE-2023-2455
- SUSE Bug 1211229