Описание
Security update for postgresql12
This update for postgresql12 fixes the following issues:
This update for postgresql12 fixes the following issues:
- CVE-2023-39417: Fixed potential SQL injection for trusted extensions (bsc#1214059).
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
libecpg6-12.16-150100.3.44.1
libpq5-12.16-150100.3.44.1
libpq5-32bit-12.16-150100.3.44.1
postgresql12-12.16-150100.3.44.1
postgresql12-contrib-12.16-150100.3.44.1
postgresql12-devel-12.16-150100.3.44.1
postgresql12-docs-12.16-150100.3.44.1
postgresql12-plperl-12.16-150100.3.44.1
postgresql12-plpython-12.16-150100.3.44.1
postgresql12-pltcl-12.16-150100.3.44.1
postgresql12-server-12.16-150100.3.44.1
postgresql12-server-devel-12.16-150100.3.44.1
SUSE Linux Enterprise Server 15 SP1-LTSS
libecpg6-12.16-150100.3.44.1
libpq5-12.16-150100.3.44.1
libpq5-32bit-12.16-150100.3.44.1
postgresql12-12.16-150100.3.44.1
postgresql12-contrib-12.16-150100.3.44.1
postgresql12-devel-12.16-150100.3.44.1
postgresql12-docs-12.16-150100.3.44.1
postgresql12-plperl-12.16-150100.3.44.1
postgresql12-plpython-12.16-150100.3.44.1
postgresql12-pltcl-12.16-150100.3.44.1
postgresql12-server-12.16-150100.3.44.1
postgresql12-server-devel-12.16-150100.3.44.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
libecpg6-12.16-150100.3.44.1
libpq5-12.16-150100.3.44.1
libpq5-32bit-12.16-150100.3.44.1
postgresql12-12.16-150100.3.44.1
postgresql12-contrib-12.16-150100.3.44.1
postgresql12-devel-12.16-150100.3.44.1
postgresql12-docs-12.16-150100.3.44.1
postgresql12-plperl-12.16-150100.3.44.1
postgresql12-plpython-12.16-150100.3.44.1
postgresql12-pltcl-12.16-150100.3.44.1
postgresql12-server-12.16-150100.3.44.1
postgresql12-server-devel-12.16-150100.3.44.1
Ссылки
- Link for SUSE-SU-2023:3346-1
- E-Mail link for SUSE-SU-2023:3346-1
- SUSE Security Ratings
- SUSE Bug 1214059
- SUSE CVE CVE-2023-39417 page
Описание
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libecpg6-12.16-150100.3.44.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpq5-12.16-150100.3.44.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpq5-32bit-12.16-150100.3.44.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:postgresql12-12.16-150100.3.44.1
Ссылки
- CVE-2023-39417
- SUSE Bug 1214059