Login
Newsletter
Werbung

Sicherheit: Mangelnde Rechteprüfung in postgresql
Aktuelle Meldungen Distributionen
Name: Mangelnde Rechteprüfung in postgresql
ID: SUSE-SU-2020:2149-1
Distribution: SUSE
Plattformen: SUSE Linux Enterprise Module for Server Applications 15-SP1, SUSE Linux Enterprise Module for Basesystem 15-SP1, SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise High Performance Computing 15-LTSS
Datum: Fr, 7. August 2020, 00:34
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1720
Applikationen: PostgreSQL

Originalnachricht


SUSE Security Update: Security update for postgresql10 and postgresql12
______________________________________________________________________________

Announcement ID: SUSE-SU-2020:2149-1
Rating: moderate
References: #1148643 #1163985 #1171924
Cross-References: CVE-2020-1720
Affected Products:
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Module for Server Applications 15-SP1
SUSE Linux Enterprise Module for Packagehub Subpackages
15-SP1
SUSE Linux Enterprise Module for Basesystem 15-SP1
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise High Performance Computing 15-ESPOS
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for postgresql10 and postgresql12 fixes the following issues:

postgresql10 was updated to 10.13 (bsc#1171924).

https://www.postgresql.org/about/news/2038/
https://www.postgresql.org/docs/10/release-10-13.html

postgresql10 was updated to 10.12 (CVE-2020-1720, bsc#1163985)

- https://www.postgresql.org/about/news/2011/
- https://www.postgresql.org/docs/10/release-10-12.html

postgresql10 was updated to 10.11:

- https://www.postgresql.org/about/news/1994/
- https://www.postgresql.org/docs/10/release-10-11.html


postgresql12 was updated to 12.3 (bsc#1171924).

Bug Fixes and Improvements:

- Several fixes for GENERATED columns, including an issue where it was
possible to crash or corrupt data in a table when the output of the
generated column was the exact copy of a physical column on the table,
e.g. if the expression called a function which could return its own
input.
- Several fixes for ALTER TABLE, including ensuring the SET STORAGE
directive is propagated to a table's indexes.
- Fix a potential race condition when using DROP OWNED BY while another
session is deleting the same objects.
- Allow for a partition to be detached when it has inherited ROW triggers.
- Several fixes for REINDEX CONCURRENTLY, particularly with issues when a
REINDEX CONCURRENTLY operation fails.
- Fix crash when COLLATE is applied to an uncollatable type in a partition
bound expression.
- Fix performance regression in floating point overflow/underflow
detection.
- Several fixes for full text search, particularly with phrase searching.
- Fix query-lifespan memory leak for a set-returning function used in a
query's FROM clause.
- Several reporting fixes for the output of VACUUM VERBOSE.
- Allow input of type circle to accept the format (x,y),r, which is
specified in the documentation.
- Allow for the get_bit() and set_bit() functions to not fail on bytea
strings longer than 256MB.
- Avoid premature recycling of WAL segments during crash recovery, which
could lead to WAL segments being recycled before being archived.
- Avoid attempting to fetch nonexistent WAL files from archive storage
during recovery by skipping irrelevant timelines.
- Several fixes for logical replication and replication slots.
- Fix several race conditions in synchronous standby management, including
one that occurred when changing the synchronous_standby_names setting.
- Several fixes for GSSAPI support, include a fix for a memory leak that
occurred when using GSSAPI encryption.
- Ensure that members of the pg_read_all_stats role can read all
statistics views.
- Fix performance regression in information_schema.triggers view.
- Fix memory leak in libpq when using sslmode=verify-full.
- Fix crash in psql when attempting to re-establish a failed connection.
- Allow tab-completion of the filename argument to \gx command in psql.
- Add pg_dump support for ALTER ... DEPENDS ON EXTENSION.
- Several other fixes for pg_dump, which include dumping comments on RLS
policies and postponing restore of event triggers until the end.
- Ensure pg_basebackup generates valid tar files.
- pg_checksums skips tablespace subdirectories that belong to a different
PostgreSQL major version
- Several Windows compatibility fixes

This update also contains timezone tzdata release 2020a for DST law
changes in Morocco and the Canadian Yukon, plus historical corrections for
Shanghai. The America/Godthab zone has been renamed to America/Nuuk to
reflect current English usage ; however, the old name remains available as
a compatibility link. This also updates initdb's list of known Windows
time zone names to include recent additions.

For more details, check out:

- https://www.postgresql.org/docs/12/release-12-3.html

Other fixes:

- Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a
clean
and complete cutover to the new packaging schema.


Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Server for SAP 15:

zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-2149=1

- SUSE Linux Enterprise Server 15-LTSS:

zypper in -t patch SUSE-SLE-Product-SLES-15-2020-2149=1

- SUSE Linux Enterprise Module for Server Applications 15-SP1:

zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-2149=1

- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1:

zypper in -t patch
SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-2149=1

- SUSE Linux Enterprise Module for Basesystem 15-SP1:

zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-2149=1

- SUSE Linux Enterprise High Performance Computing 15-LTSS:

zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2149=1

- SUSE Linux Enterprise High Performance Computing 15-ESPOS:

zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2149=1



Package List:

- SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):

libecpg6-10.13-4.22.4
libecpg6-debuginfo-10.13-4.22.4
libpq5-10.13-4.22.4
libpq5-debuginfo-10.13-4.22.4
postgresql10-10.13-4.22.4
postgresql10-contrib-10.13-4.22.4
postgresql10-contrib-debuginfo-10.13-4.22.4
postgresql10-debuginfo-10.13-4.22.4
postgresql10-debugsource-10.13-4.22.4
postgresql10-devel-10.13-4.22.4
postgresql10-devel-debuginfo-10.13-4.22.4
postgresql10-plperl-10.13-4.22.4
postgresql10-plperl-debuginfo-10.13-4.22.4
postgresql10-plpython-10.13-4.22.4
postgresql10-plpython-debuginfo-10.13-4.22.4
postgresql10-pltcl-10.13-4.22.4
postgresql10-pltcl-debuginfo-10.13-4.22.4
postgresql10-server-10.13-4.22.4
postgresql10-server-debuginfo-10.13-4.22.4

- SUSE Linux Enterprise Server for SAP 15 (noarch):

postgresql-12.0.1-8.14.1
postgresql-contrib-12.0.1-8.14.1
postgresql-devel-12.0.1-8.14.1
postgresql-docs-12.0.1-8.14.1
postgresql-plperl-12.0.1-8.14.1
postgresql-plpython-12.0.1-8.14.1
postgresql-pltcl-12.0.1-8.14.1
postgresql-server-12.0.1-8.14.1
postgresql10-docs-10.13-4.22.4

- SUSE Linux Enterprise Server for SAP 15 (x86_64):

libpq5-32bit-10.13-4.22.4
libpq5-32bit-debuginfo-10.13-4.22.4

- SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):

libecpg6-10.13-4.22.4
libecpg6-debuginfo-10.13-4.22.4
libpq5-10.13-4.22.4
libpq5-debuginfo-10.13-4.22.4
postgresql10-10.13-4.22.4
postgresql10-contrib-10.13-4.22.4
postgresql10-contrib-debuginfo-10.13-4.22.4
postgresql10-debuginfo-10.13-4.22.4
postgresql10-debugsource-10.13-4.22.4
postgresql10-devel-10.13-4.22.4
postgresql10-devel-debuginfo-10.13-4.22.4
postgresql10-plperl-10.13-4.22.4
postgresql10-plperl-debuginfo-10.13-4.22.4
postgresql10-plpython-10.13-4.22.4
postgresql10-plpython-debuginfo-10.13-4.22.4
postgresql10-pltcl-10.13-4.22.4
postgresql10-pltcl-debuginfo-10.13-4.22.4
postgresql10-server-10.13-4.22.4
postgresql10-server-debuginfo-10.13-4.22.4

- SUSE Linux Enterprise Server 15-LTSS (noarch):

postgresql-12.0.1-8.14.1
postgresql-contrib-12.0.1-8.14.1
postgresql-devel-12.0.1-8.14.1
postgresql-docs-12.0.1-8.14.1
postgresql-plperl-12.0.1-8.14.1
postgresql-plpython-12.0.1-8.14.1
postgresql-pltcl-12.0.1-8.14.1
postgresql-server-12.0.1-8.14.1
postgresql10-docs-10.13-4.22.4

- SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64
ppc64le s390x x86_64):

libecpg6-12.3-3.8.1
libecpg6-debuginfo-12.3-3.8.1
postgresql12-contrib-12.3-3.8.1
postgresql12-contrib-debuginfo-12.3-3.8.1
postgresql12-debuginfo-12.3-3.8.1
postgresql12-debugsource-12.3-3.8.1
postgresql12-devel-12.3-3.8.1
postgresql12-devel-debuginfo-12.3-3.8.1
postgresql12-plperl-12.3-3.8.1
postgresql12-plperl-debuginfo-12.3-3.8.1
postgresql12-plpython-12.3-3.8.1
postgresql12-plpython-debuginfo-12.3-3.8.1
postgresql12-pltcl-12.3-3.8.1
postgresql12-pltcl-debuginfo-12.3-3.8.1
postgresql12-server-12.3-3.8.1
postgresql12-server-debuginfo-12.3-3.8.1
postgresql12-server-devel-12.3-3.8.1
postgresql12-server-devel-debuginfo-12.3-3.8.1

- SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch):

postgresql-contrib-12.0.1-8.14.1
postgresql-devel-12.0.1-8.14.1
postgresql-docs-12.0.1-8.14.1
postgresql-plperl-12.0.1-8.14.1
postgresql-plpython-12.0.1-8.14.1
postgresql-pltcl-12.0.1-8.14.1
postgresql-server-12.0.1-8.14.1
postgresql-server-devel-12.0.1-8.14.1
postgresql12-docs-12.3-3.8.1

- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (noarch):

postgresql-test-12.0.1-8.14.1

- SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x
x86_64):

libpq5-12.3-3.8.1
libpq5-debuginfo-12.3-3.8.1
postgresql12-12.3-3.8.1
postgresql12-debuginfo-12.3-3.8.1
postgresql12-debugsource-12.3-3.8.1

- SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch):

postgresql-12.0.1-8.14.1

- SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64):

libpq5-32bit-12.3-3.8.1
libpq5-32bit-debuginfo-12.3-3.8.1

- SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):

libecpg6-10.13-4.22.4
libecpg6-debuginfo-10.13-4.22.4
libpq5-10.13-4.22.4
libpq5-debuginfo-10.13-4.22.4
postgresql10-10.13-4.22.4
postgresql10-contrib-10.13-4.22.4
postgresql10-contrib-debuginfo-10.13-4.22.4
postgresql10-debuginfo-10.13-4.22.4
postgresql10-debugsource-10.13-4.22.4
postgresql10-devel-10.13-4.22.4
postgresql10-devel-debuginfo-10.13-4.22.4
postgresql10-plperl-10.13-4.22.4
postgresql10-plperl-debuginfo-10.13-4.22.4
postgresql10-plpython-10.13-4.22.4
postgresql10-plpython-debuginfo-10.13-4.22.4
postgresql10-pltcl-10.13-4.22.4
postgresql10-pltcl-debuginfo-10.13-4.22.4
postgresql10-server-10.13-4.22.4
postgresql10-server-debuginfo-10.13-4.22.4

- SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64):

libpq5-32bit-10.13-4.22.4
libpq5-32bit-debuginfo-10.13-4.22.4

- SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch):

postgresql-12.0.1-8.14.1
postgresql-contrib-12.0.1-8.14.1
postgresql-devel-12.0.1-8.14.1
postgresql-docs-12.0.1-8.14.1
postgresql-plperl-12.0.1-8.14.1
postgresql-plpython-12.0.1-8.14.1
postgresql-pltcl-12.0.1-8.14.1
postgresql-server-12.0.1-8.14.1
postgresql10-docs-10.13-4.22.4

- SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64
x86_64):

libecpg6-10.13-4.22.4
libecpg6-debuginfo-10.13-4.22.4
libpq5-10.13-4.22.4
libpq5-debuginfo-10.13-4.22.4
postgresql10-10.13-4.22.4
postgresql10-contrib-10.13-4.22.4
postgresql10-contrib-debuginfo-10.13-4.22.4
postgresql10-debuginfo-10.13-4.22.4
postgresql10-debugsource-10.13-4.22.4
postgresql10-devel-10.13-4.22.4
postgresql10-devel-debuginfo-10.13-4.22.4
postgresql10-plperl-10.13-4.22.4
postgresql10-plperl-debuginfo-10.13-4.22.4
postgresql10-plpython-10.13-4.22.4
postgresql10-plpython-debuginfo-10.13-4.22.4
postgresql10-pltcl-10.13-4.22.4
postgresql10-pltcl-debuginfo-10.13-4.22.4
postgresql10-server-10.13-4.22.4
postgresql10-server-debuginfo-10.13-4.22.4

- SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch):

postgresql-12.0.1-8.14.1
postgresql-contrib-12.0.1-8.14.1
postgresql-devel-12.0.1-8.14.1
postgresql-docs-12.0.1-8.14.1
postgresql-plperl-12.0.1-8.14.1
postgresql-plpython-12.0.1-8.14.1
postgresql-pltcl-12.0.1-8.14.1
postgresql-server-12.0.1-8.14.1
postgresql10-docs-10.13-4.22.4

- SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64):

libpq5-32bit-10.13-4.22.4
libpq5-32bit-debuginfo-10.13-4.22.4


References:

https://www.suse.com/security/cve/CVE-2020-1720.html
https://bugzilla.suse.com/1148643
https://bugzilla.suse.com/1163985
https://bugzilla.suse.com/1171924

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung