openSUSE Security Update: Security update for postgresql93 ______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2425-1 Rating: important References: #993453 #993454 Cross-References: CVE-2016-5423 CVE-2016-5424 Affected Products: openSUSE 13.2 ______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
The postgresql server postgresql93 was updated to 9.3.14 fixes the following issues:
Update to version 9.3.14: * Fix possible mis-evaluation of nested CASE-WHEN expressions (CVE-2016-5423, boo#993454) * Fix client programs' handling of special characters in database and role names (CVE-2016-5424, boo#993453) * Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values * Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields * Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates * Fix several one-byte buffer over-reads in to_number() * Avoid unsafe intermediate state during expensive paths through heap_update() * For the other bug fixes, see the release notes: https://www.postgresql.org/docs/9.3/static/release-9-3-14.html
Update to version 9.3.13:
This update fixes several problems which caused downtime for users, including: - Clearing the OpenSSL error queue before OpenSSL calls, preventing errors in SSL connections, particularly when using the Python, Ruby or PHP OpenSSL wrappers - Fixed the "failed to build N-way joins" planner error - Fixed incorrect handling of equivalence in multilevel nestloop query plans, which could emit rows which didn't match the WHERE clause. - Prevented two memory leaks with using GIN indexes, including a potential index corruption risk. The release also includes many other bug fixes for reported issues, many of which affect all supported versions: - Fix corner-case parser failures occurring when operator_precedence_warning is turned on - Prevent possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() - Correct dumping of VIEWs and RULEs which use ANY (array) in a subselect - Disallow newlines in ALTER SYSTEM parameter values - Avoid possible misbehavior after failing to remove a tablespace symlink - Fix crash in logical decoding on alignment-picky platforms - Avoid repeated requests for feedback from receiver while shutting down walsender - Multiple fixes for pg_upgrade - Support building with Visual Studio 2015 - This update also contains tzdata release 2016d, with updates for Russia, Venezuela, Kirov, and Tomsk. http://www.postgresql.org/docs/current/static/release-9-3-13.html
Update to version 9.3.12:
- Fix two bugs in indexed ROW() comparisons - Avoid data loss due to renaming files - Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE - Fix bugs in multiple json_ and jsonb_ functions - Log lock waits for INSERT ON CONFLICT correctly - Ignore recovery_min_apply_delay until reaching a consistent state - Fix issue with pg_subtrans XID wraparound - Fix assorted bugs in Logical Decoding - Fix planner error with nested security barrier views - Prevent memory leak in GIN indexes - Fix two issues with ispell dictionaries - Avoid a crash on old Windows versions - Skip creating an erroneous delete script in pg_upgrade - Correctly translate empty arrays into PL/Perl - Make PL/Python cope with identifier names
For the full release notes, see: http://www.postgresql.org/docs/9.4/static/release-9-3-12.html
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2016-1140=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
libecpg6-9.3.14-2.13.1 libecpg6-debuginfo-9.3.14-2.13.1 libpq5-9.3.14-2.13.1 libpq5-debuginfo-9.3.14-2.13.1 postgresql93-9.3.14-2.13.1 postgresql93-contrib-9.3.14-2.13.1 postgresql93-contrib-debuginfo-9.3.14-2.13.1 postgresql93-debuginfo-9.3.14-2.13.1 postgresql93-debugsource-9.3.14-2.13.1 postgresql93-devel-9.3.14-2.13.1 postgresql93-devel-debuginfo-9.3.14-2.13.1 postgresql93-libs-debugsource-9.3.14-2.13.1 postgresql93-plperl-9.3.14-2.13.1 postgresql93-plperl-debuginfo-9.3.14-2.13.1 postgresql93-plpython-9.3.14-2.13.1 postgresql93-plpython-debuginfo-9.3.14-2.13.1 postgresql93-pltcl-9.3.14-2.13.1 postgresql93-pltcl-debuginfo-9.3.14-2.13.1 postgresql93-server-9.3.14-2.13.1 postgresql93-server-debuginfo-9.3.14-2.13.1 postgresql93-test-9.3.14-2.13.1
- openSUSE 13.2 (noarch):
postgresql93-docs-9.3.14-2.13.1
- openSUSE 13.2 (x86_64):
libecpg6-32bit-9.3.14-2.13.1 libecpg6-debuginfo-32bit-9.3.14-2.13.1 libpq5-32bit-9.3.14-2.13.1 libpq5-debuginfo-32bit-9.3.14-2.13.1
References:
https://www.suse.com/security/cve/CVE-2016-5423.html https://www.suse.com/security/cve/CVE-2016-5424.html https://bugzilla.suse.com/993453 https://bugzilla.suse.com/993454
-- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
|