openSUSE-SU-2017:3425-1

Опубликовано: 22 дек. 2017

Источник: suse-cvrf

Описание

Security update for postgresql96

This update for postgresql96 fixes the following issues:

Security issues fixed:

CVE-2017-15098: Fix crash due to rowtype mismatch in json{b}_populate_recordset() (bsc#1067844).
CVE-2017-15099: Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (bsc#1067841).

Bug fixes:

Update to version 9.6.6:
- https://www.postgresql.org/docs/9.6/static/release-9-6-6.html
- https://www.postgresql.org/docs/9.6/static/release-9-6-5.html

This update was imported from the SUSE:SLE-12:Update update project.

Список пакетов

openSUSE Leap 42.2

libecpg6-9.6.6-9.1

libecpg6-32bit-9.6.6-9.1

libpq5-9.6.6-9.1

libpq5-32bit-9.6.6-9.1

postgresql96-9.6.6-9.1

postgresql96-contrib-9.6.6-9.1

postgresql96-devel-9.6.6-9.1

postgresql96-docs-9.6.6-9.1

postgresql96-libs-9.6.6-9.1

postgresql96-plperl-9.6.6-9.1

postgresql96-plpython-9.6.6-9.1

postgresql96-pltcl-9.6.6-9.1

postgresql96-server-9.6.6-9.1

postgresql96-test-9.6.6-9.1

openSUSE Leap 42.3

libecpg6-9.6.6-9.1

libecpg6-32bit-9.6.6-9.1

libpq5-9.6.6-9.1

libpq5-32bit-9.6.6-9.1

postgresql96-9.6.6-9.1

postgresql96-contrib-9.6.6-9.1

postgresql96-devel-9.6.6-9.1

postgresql96-docs-9.6.6-9.1

postgresql96-libs-9.6.6-9.1

postgresql96-plperl-9.6.6-9.1

postgresql96-plpython-9.6.6-9.1

postgresql96-pltcl-9.6.6-9.1

postgresql96-server-9.6.6-9.1

postgresql96-test-9.6.6-9.1

Ссылки

https://lists.opensuse.org/opensuse-updates/2017-12/msg00099.html
E-Mail link for openSUSE-SU-2017:3425-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.

Затронутые продукты

openSUSE Leap 42.2:libecpg6-32bit-9.6.6-9.1

openSUSE Leap 42.2:libecpg6-9.6.6-9.1

openSUSE Leap 42.2:libpq5-32bit-9.6.6-9.1

openSUSE Leap 42.2:libpq5-9.6.6-9.1

Ссылки

https://www.suse.com/security/cve/CVE-2017-15098.html
CVE-2017-15098
https://bugzilla.suse.com/1067844
SUSE Bug 1067844

Описание

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

Затронутые продукты

openSUSE Leap 42.2:libecpg6-32bit-9.6.6-9.1

openSUSE Leap 42.2:libecpg6-9.6.6-9.1

openSUSE Leap 42.2:libpq5-32bit-9.6.6-9.1

openSUSE Leap 42.2:libpq5-9.6.6-9.1

Ссылки

https://www.suse.com/security/cve/CVE-2017-15099.html
CVE-2017-15099
https://bugzilla.suse.com/1067841
SUSE Bug 1067841

openSUSE-SU-2017:3425-1

Описание

Список пакетов

openSUSE Leap 42.2

openSUSE Leap 42.3

Ссылки

Уязвимость: CVE-2017-15098

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2017-15099

Описание

Затронутые продукты

Ссылки