Описание
Security update for postgresql15
This update for postgresql15 fixes the following issues:
- Update to 13.12
- CVE-2023-39417: Fixed potential SQL injection for trusted extensions. (bsc#1214059)
Список пакетов
SUSE Linux Enterprise Server 12 SP5
postgresql13-13.12-3.36.1
postgresql13-contrib-13.12-3.36.1
postgresql13-docs-13.12-3.36.1
postgresql13-plperl-13.12-3.36.1
postgresql13-plpython-13.12-3.36.1
postgresql13-pltcl-13.12-3.36.1
postgresql13-server-13.12-3.36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
postgresql13-13.12-3.36.1
postgresql13-contrib-13.12-3.36.1
postgresql13-docs-13.12-3.36.1
postgresql13-plperl-13.12-3.36.1
postgresql13-plpython-13.12-3.36.1
postgresql13-pltcl-13.12-3.36.1
postgresql13-server-13.12-3.36.1
SUSE Linux Enterprise Software Development Kit 12 SP5
postgresql13-devel-13.12-3.36.1
postgresql13-server-devel-13.12-3.36.1
Ссылки
- Link for SUSE-SU-2023:3345-1
- E-Mail link for SUSE-SU-2023:3345-1
- SUSE Security Ratings
- SUSE Bug 1214059
- SUSE CVE CVE-2023-39417 page
Описание
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5:postgresql13-13.12-3.36.1
SUSE Linux Enterprise Server 12 SP5:postgresql13-contrib-13.12-3.36.1
SUSE Linux Enterprise Server 12 SP5:postgresql13-docs-13.12-3.36.1
SUSE Linux Enterprise Server 12 SP5:postgresql13-plperl-13.12-3.36.1
Ссылки
- CVE-2023-39417
- SUSE Bug 1214059