Security update for postgresql96 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3425-1 Final 1 1 2017-12-22T15:52:38Z current 2017-12-22T15:52:38Z 2017-12-22T15:52:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql96 This update for postgresql96 fixes the following issues: Security issues fixed: - CVE-2017-15098: Fix crash due to rowtype mismatch in json{b}_populate_recordset() (bsc#1067844). - CVE-2017-15099: Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (bsc#1067841). Bug fixes: - Update to version 9.6.6: * https://www.postgresql.org/docs/9.6/static/release-9-6-6.html * https://www.postgresql.org/docs/9.6/static/release-9-6-5.html This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-12/msg00099.html E-Mail link for openSUSE-SU-2017:3425-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 libecpg6-9.6.6-9.1 libecpg6-32bit-9.6.6-9.1 libpq5-9.6.6-9.1 libpq5-32bit-9.6.6-9.1 postgresql96-9.6.6-9.1 postgresql96-contrib-9.6.6-9.1 postgresql96-devel-9.6.6-9.1 postgresql96-docs-9.6.6-9.1 postgresql96-libs-9.6.6-9.1 postgresql96-plperl-9.6.6-9.1 postgresql96-plpython-9.6.6-9.1 postgresql96-pltcl-9.6.6-9.1 postgresql96-server-9.6.6-9.1 postgresql96-test-9.6.6-9.1 libecpg6-9.6.6-9.1 as a component of openSUSE Leap 42.2 libecpg6-32bit-9.6.6-9.1 as a component of openSUSE Leap 42.2 libpq5-9.6.6-9.1 as a component of openSUSE Leap 42.2 libpq5-32bit-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-contrib-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-devel-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-docs-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-libs-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-plperl-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-plpython-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-pltcl-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-server-9.6.6-9.1 as a component of openSUSE Leap 42.2 postgresql96-test-9.6.6-9.1 as a component of openSUSE Leap 42.2 libecpg6-9.6.6-9.1 as a component of openSUSE Leap 42.3 libecpg6-32bit-9.6.6-9.1 as a component of openSUSE Leap 42.3 libpq5-9.6.6-9.1 as a component of openSUSE Leap 42.3 libpq5-32bit-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-contrib-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-devel-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-docs-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-libs-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-plperl-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-plpython-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-pltcl-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-server-9.6.6-9.1 as a component of openSUSE Leap 42.3 postgresql96-test-9.6.6-9.1 as a component of openSUSE Leap 42.3 Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory. CVE-2017-15098 openSUSE Leap 42.2:libecpg6-32bit-9.6.6-9.1 openSUSE Leap 42.2:libecpg6-9.6.6-9.1 openSUSE Leap 42.2:libpq5-32bit-9.6.6-9.1 openSUSE Leap 42.2:libpq5-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-contrib-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-devel-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-docs-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-libs-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-plperl-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-plpython-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-pltcl-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-server-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-test-9.6.6-9.1 openSUSE Leap 42.3:libecpg6-32bit-9.6.6-9.1 openSUSE Leap 42.3:libecpg6-9.6.6-9.1 openSUSE Leap 42.3:libpq5-32bit-9.6.6-9.1 openSUSE Leap 42.3:libpq5-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-contrib-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-devel-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-docs-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-libs-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-plperl-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-plpython-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-pltcl-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-server-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-test-9.6.6-9.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-12/msg00099.html https://www.suse.com/security/cve/CVE-2017-15098.html CVE-2017-15098 https://bugzilla.suse.com/1067844 SUSE Bug 1067844 INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege. CVE-2017-15099 openSUSE Leap 42.2:libecpg6-32bit-9.6.6-9.1 openSUSE Leap 42.2:libecpg6-9.6.6-9.1 openSUSE Leap 42.2:libpq5-32bit-9.6.6-9.1 openSUSE Leap 42.2:libpq5-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-contrib-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-devel-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-docs-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-libs-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-plperl-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-plpython-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-pltcl-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-server-9.6.6-9.1 openSUSE Leap 42.2:postgresql96-test-9.6.6-9.1 openSUSE Leap 42.3:libecpg6-32bit-9.6.6-9.1 openSUSE Leap 42.3:libecpg6-9.6.6-9.1 openSUSE Leap 42.3:libpq5-32bit-9.6.6-9.1 openSUSE Leap 42.3:libpq5-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-contrib-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-devel-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-docs-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-libs-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-plperl-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-plpython-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-pltcl-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-server-9.6.6-9.1 openSUSE Leap 42.3:postgresql96-test-9.6.6-9.1 moderate 4.3 AV:L/AC:L/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-12/msg00099.html https://www.suse.com/security/cve/CVE-2017-15099.html CVE-2017-15099 https://bugzilla.suse.com/1067841 SUSE Bug 1067841