Security update for postgresql96 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1709-1 Final 1 1 2018-06-15T16:35:31Z current 2018-06-15T16:35:31Z 2018-06-15T16:35:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql96 PostgreSQL was updated to 9.6.9 fixing bugs and security issues: Release notes: - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-9-6-9.html A dump/restore is not required for those running 9.6.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issue fixed: - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed. (bsc#1091610) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00029.html E-Mail link for openSUSE-SU-2018:1709-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libecpg6-9.6.9-18.1 libecpg6-32bit-9.6.9-18.1 libpq5-9.6.9-18.1 libpq5-32bit-9.6.9-18.1 postgresql96-9.6.9-18.1 postgresql96-contrib-9.6.9-18.1 postgresql96-devel-9.6.9-18.1 postgresql96-docs-9.6.9-18.1 postgresql96-libs-9.6.9-18.1 postgresql96-plperl-9.6.9-18.1 postgresql96-plpython-9.6.9-18.1 postgresql96-pltcl-9.6.9-18.1 postgresql96-server-9.6.9-18.1 postgresql96-test-9.6.9-18.1 libecpg6-9.6.9-18.1 as a component of openSUSE Leap 42.3 libecpg6-32bit-9.6.9-18.1 as a component of openSUSE Leap 42.3 libpq5-9.6.9-18.1 as a component of openSUSE Leap 42.3 libpq5-32bit-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-contrib-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-devel-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-docs-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-libs-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-plperl-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-plpython-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-pltcl-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-server-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql96-test-9.6.9-18.1 as a component of openSUSE Leap 42.3 postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation. CVE-2018-1115 openSUSE Leap 42.3:libecpg6-32bit-9.6.9-18.1 openSUSE Leap 42.3:libecpg6-9.6.9-18.1 openSUSE Leap 42.3:libpq5-32bit-9.6.9-18.1 openSUSE Leap 42.3:libpq5-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-contrib-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-devel-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-docs-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-libs-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-plperl-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-plpython-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-pltcl-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-server-9.6.9-18.1 openSUSE Leap 42.3:postgresql96-test-9.6.9-18.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00029.html https://www.suse.com/security/cve/CVE-2018-1115.html CVE-2018-1115 https://bugzilla.suse.com/1091610 SUSE Bug 1091610