Описание
Security update for postgresql94
This update for postgresql94 fixes the following issues:
Security issues fixed:
- CVE-2017-15098: Fix crash due to rowtype mismatch in json{b}_populate_recordset() (bsc#1067844).
- CVE-2017-12172: Start scripts permit database administrator to modify root-owned files. This issue did not affect SUSE (bsc#1062538).
Bug fixes:
- Update to version 9.4.15
This update was imported from the SUSE:SLE-12:Update update project.
Список пакетов
openSUSE Leap 42.2
openSUSE Leap 42.3
Ссылки
- E-Mail link for openSUSE-SU-2018:0095-1
- SUSE Security Ratings
Описание
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.
Затронутые продукты
Ссылки
- CVE-2017-12172
- SUSE Bug 1062538
- SUSE Bug 1062722
Описание
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
Затронутые продукты
Ссылки
- CVE-2017-15098
- SUSE Bug 1067844