Lucene search

K
suseSuseOPENSUSE-SU-2020:1227-1
HistoryAug 17, 2020 - 12:00 a.m.

Security update for postgresql96, postgresql10 and postgresql12 (moderate)

2020-08-1700:00:00
lists.opensuse.org
60

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

An update that solves 7 vulnerabilities and has two fixes
is now available.

Description:

This update for postgresql96, postgresql10 and postgresql12 fixes the
following issues:

postgresql10 was updated to 10.13 (bsc#1171924).

 https://www.postgresql.org/about/news/2038/

https://www.postgresql.org/docs/10/release-10-13.html

postgresql10 was updated to 10.12 (CVE-2020-1720, bsc#1163985)

postgresql10 was updated to 10.11:

postgresql12 was updated to 12.3 (bsc#1171924).

Bug Fixes and Improvements:

  • Several fixes for GENERATED columns, including an issue where it was
    possible to crash or corrupt data in a table when the output of the
    generated column was the exact copy of a physical column on the table,
    e.g. if the expression called a function which could return its own
    input.
  • Several fixes for ALTER TABLE, including ensuring the SET STORAGE
    directive is propagated to a table’s indexes.
  • Fix a potential race condition when using DROP OWNED BY while another
    session is deleting the same objects.
  • Allow for a partition to be detached when it has inherited ROW triggers.
  • Several fixes for REINDEX CONCURRENTLY, particularly with issues when a
    REINDEX CONCURRENTLY operation fails.
  • Fix crash when COLLATE is applied to an uncollatable type in a partition
    bound expression.
  • Fix performance regression in floating point overflow/underflow
    detection.
  • Several fixes for full text search, particularly with phrase searching.
  • Fix query-lifespan memory leak for a set-returning function used in a
    query’s FROM clause.
  • Several reporting fixes for the output of VACUUM VERBOSE.
  • Allow input of type circle to accept the format (x,y),r, which is
    specified in the documentation.
  • Allow for the get_bit() and set_bit() functions to not fail on bytea
    strings longer than 256MB.
  • Avoid premature recycling of WAL segments during crash recovery, which
    could lead to WAL segments being recycled before being archived.
  • Avoid attempting to fetch nonexistent WAL files from archive storage
    during recovery by skipping irrelevant timelines.
  • Several fixes for logical replication and replication slots.
  • Fix several race conditions in synchronous standby management, including
    one that occurred when changing the synchronous_standby_names setting.
  • Several fixes for GSSAPI support, include a fix for a memory leak that
    occurred when using GSSAPI encryption.
  • Ensure that members of the pg_read_all_stats role can read all
    statistics views.
  • Fix performance regression in information_schema.triggers view.
  • Fix memory leak in libpq when using sslmode=verify-full.
  • Fix crash in psql when attempting to re-establish a failed connection.
  • Allow tab-completion of the filename argument to \gx command in psql.
  • Add pg_dump support for ALTER … DEPENDS ON EXTENSION.
  • Several other fixes for pg_dump, which include dumping comments on RLS
    policies and postponing restore of event triggers until the end.
  • Ensure pg_basebackup generates valid tar files.
  • pg_checksums skips tablespace subdirectories that belong to a different
    PostgreSQL major version
  • Several Windows compatibility fixes

This update also contains timezone tzdata release 2020a for DST law
changes in Morocco and the Canadian Yukon, plus historical corrections for
Shanghai. The America/Godthab zone has been renamed to America/Nuuk to
reflect current English usage ; however, the old name remains available as
a compatibility link. This also updates initdb’s list of known Windows
time zone names to include recent additions.

For more details, check out:

Other fixes:

  • Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean
    and complete cutover to the new packaging schema.

postgresql96 was updated to 9.6.19:

 * CVE-2020-14350, boo#1175194: Make contrib modules' installation
   scripts more secure.
 * https://www.postgresql.org/docs/9.6/release-9-6-19.html

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.1:

    zypper in -t patch openSUSE-2020-1227=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.1i586< - openSUSE Leap 15.1 (i586 x86_64):- openSUSE Leap 15.1 (i586 x86_64):.i586.rpm
openSUSE Leap15.1x86_64< - openSUSE Leap 15.1 (i586 x86_64):- openSUSE Leap 15.1 (i586 x86_64):.x86_64.rpm
openSUSE Leap15.1x86_64< - openSUSE Leap 15.1 (x86_64):- openSUSE Leap 15.1 (x86_64):.x86_64.rpm
openSUSE Leap15.1noarch< - openSUSE Leap 15.1 (noarch):- openSUSE Leap 15.1 (noarch):.noarch.rpm

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P