Описание
Security update for postgresql, postgresql96, postgresql10, postgresql12
This update for postgresql, postgresql96, postgresql10, postgresql12 fixes the following issues:
Postgresql12 was updated to 12.3 (bsc#1171924).
-
Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema.
Also changed in the postgresql wrapper package:
-
Bump version to 12.0.1, so that the binary packages also have a cut-point to conflict with.
-
Conflict with versions of the binary packages prior to the May 2020 update, because we changed the package layout at that point and need a clean cutover.
-
Bump package version to 12, but leave default at 10 for SLE-15 and SLE-15-SP1.
postgresql11 was updated to 11.9:
- CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
- CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
- https://www.postgresql.org/docs/11/release-11-9.html
- Pack the /usr/lib/postgresql symlink only into the main package.
postgresql11 was updated to 11.8 (bsc#1171924).
- Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.
- Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (bsc#1148643).
postgresql10 was updated to 10.13 (bsc#1171924).
-
Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.
-
Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (bsc#1148643).
postgresql96 was updated to 9.6.19:
- CVE-2020-14350, boo#1175194: Make contrib modules' installation scripts more secure.
- https://www.postgresql.org/docs/9.6/release-9-6-19.html
-
Pack the /usr/lib/postgresql symlink only into the main package.
-
Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema.
-
update to 9.6.18 (boo#1171924). https://www.postgresql.org/about/news/2038/ https://www.postgresql.org/docs/9.6/release-9-6-18.html
-
Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.
-
Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (boo#1148643).
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Список пакетов
openSUSE Leap 15.2
Ссылки
- E-Mail link for openSUSE-SU-2020:1228-1
- SUSE Security Ratings
- SUSE Bug 1148643
- SUSE Bug 1171924
- SUSE Bug 1175193
- SUSE Bug 1175194
- SUSE CVE CVE-2020-14349 page
- SUSE CVE CVE-2020-14350 page
Описание
It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.
Затронутые продукты
Ссылки
- CVE-2020-14349
- SUSE Bug 1175193
- SUSE Bug 1176151
- SUSE Bug 1179499
- SUSE Bug 1179870
Описание
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
Затронутые продукты
Ссылки
- CVE-2020-14350
- SUSE Bug 1175194
- SUSE Bug 1176151
- SUSE Bug 1179115
- SUSE Bug 1179499
- SUSE Bug 1179870