Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in PostgreSQL
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in PostgreSQL
ID: openSUSE-SU-2016:2425-1
Distribution: SUSE
Plattformen: openSUSE 13.2
Datum: Sa, 1. Oktober 2016, 00:25
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5424
Applikationen: PostgreSQL

Originalnachricht

   openSUSE Security Update: Security update for postgresql93
______________________________________________________________________________

Announcement ID: openSUSE-SU-2016:2425-1
Rating: important
References: #993453 #993454
Cross-References: CVE-2016-5423 CVE-2016-5424
Affected Products:
openSUSE 13.2
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:


The postgresql server postgresql93 was updated to 9.3.14 fixes the
following issues:

Update to version 9.3.14:
* Fix possible mis-evaluation of nested CASE-WHEN expressions
(CVE-2016-5423, boo#993454)
* Fix client programs' handling of special characters in database and
role
names (CVE-2016-5424, boo#993453)
* Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested
composite values
* Make the inet and cidr data types properly reject IPv6 addresses with
too many colon-separated fields
* Prevent crash in close_ps() (the point ## lseg operator) for NaN input
coordinates
* Fix several one-byte buffer over-reads in to_number()
* Avoid unsafe intermediate state during expensive paths through
heap_update()
* For the other bug fixes, see the release notes:
https://www.postgresql.org/docs/9.3/static/release-9-3-14.html

Update to version 9.3.13:

This update fixes several problems which caused downtime for users,
including:
- Clearing the OpenSSL error queue before OpenSSL calls, preventing errors
in SSL connections, particularly when using the Python, Ruby or PHP
OpenSSL wrappers
- Fixed the "failed to build N-way joins" planner error
- Fixed incorrect handling of equivalence in multilevel nestloop query
plans, which could emit rows which didn't match the WHERE clause.
- Prevented two memory leaks with using GIN indexes, including a potential
index corruption risk. The release also includes many other bug fixes
for reported issues, many of which affect all supported versions:
- Fix corner-case parser failures occurring when
operator_precedence_warning is turned on
- Prevent possible misbehavior of TH, th, and Y,YYY format codes in
to_timestamp()
- Correct dumping of VIEWs and RULEs which use ANY (array) in a subselect
- Disallow newlines in ALTER SYSTEM parameter values
- Avoid possible misbehavior after failing to remove a tablespace symlink
- Fix crash in logical decoding on alignment-picky platforms
- Avoid repeated requests for feedback from receiver while shutting down
walsender
- Multiple fixes for pg_upgrade
- Support building with Visual Studio 2015
- This update also contains tzdata release 2016d, with updates for Russia,
Venezuela, Kirov, and Tomsk.
http://www.postgresql.org/docs/current/static/release-9-3-13.html

Update to version 9.3.12:

- Fix two bugs in indexed ROW() comparisons
- Avoid data loss due to renaming files
- Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE
- Fix bugs in multiple json_ and jsonb_ functions
- Log lock waits for INSERT ON CONFLICT correctly
- Ignore recovery_min_apply_delay until reaching a consistent state
- Fix issue with pg_subtrans XID wraparound
- Fix assorted bugs in Logical Decoding
- Fix planner error with nested security barrier views
- Prevent memory leak in GIN indexes
- Fix two issues with ispell dictionaries
- Avoid a crash on old Windows versions
- Skip creating an erroneous delete script in pg_upgrade
- Correctly translate empty arrays into PL/Perl
- Make PL/Python cope with identifier names

For the full release notes, see:
http://www.postgresql.org/docs/9.4/static/release-9-3-12.html


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2016-1140=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.2 (i586 x86_64):

libecpg6-9.3.14-2.13.1
libecpg6-debuginfo-9.3.14-2.13.1
libpq5-9.3.14-2.13.1
libpq5-debuginfo-9.3.14-2.13.1
postgresql93-9.3.14-2.13.1
postgresql93-contrib-9.3.14-2.13.1
postgresql93-contrib-debuginfo-9.3.14-2.13.1
postgresql93-debuginfo-9.3.14-2.13.1
postgresql93-debugsource-9.3.14-2.13.1
postgresql93-devel-9.3.14-2.13.1
postgresql93-devel-debuginfo-9.3.14-2.13.1
postgresql93-libs-debugsource-9.3.14-2.13.1
postgresql93-plperl-9.3.14-2.13.1
postgresql93-plperl-debuginfo-9.3.14-2.13.1
postgresql93-plpython-9.3.14-2.13.1
postgresql93-plpython-debuginfo-9.3.14-2.13.1
postgresql93-pltcl-9.3.14-2.13.1
postgresql93-pltcl-debuginfo-9.3.14-2.13.1
postgresql93-server-9.3.14-2.13.1
postgresql93-server-debuginfo-9.3.14-2.13.1
postgresql93-test-9.3.14-2.13.1

- openSUSE 13.2 (noarch):

postgresql93-docs-9.3.14-2.13.1

- openSUSE 13.2 (x86_64):

libecpg6-32bit-9.3.14-2.13.1
libecpg6-debuginfo-32bit-9.3.14-2.13.1
libpq5-32bit-9.3.14-2.13.1
libpq5-debuginfo-32bit-9.3.14-2.13.1


References:

https://www.suse.com/security/cve/CVE-2016-5423.html
https://www.suse.com/security/cve/CVE-2016-5424.html
https://bugzilla.suse.com/993453
https://bugzilla.suse.com/993454

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung