Security update for postgresql12 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0423-1 Final 1 1 2021-03-16T17:07:29Z current 2021-03-16T17:07:29Z 2021-03-16T17:07:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql12 This update for postgresql12 fixes the following issues: Upgrade to version 12.6: - Reindexing might be needed after applying this update. - CVE-2021-3393, bsc#1182040: Fix information leakage in constraint-violation error messages. This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-423 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IILVBEHTY5E5NJCJLBHIW7MZUDL25BDR/ E-Mail link for openSUSE-SU-2021:0423-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179765 SUSE Bug 1179765 https://bugzilla.suse.com/1182040 SUSE Bug 1182040 https://www.suse.com/security/cve/CVE-2021-3393/ SUSE CVE CVE-2021-3393 page openSUSE Leap 15.2 libecpg6-12.6-lp152.3.16.1 libecpg6-32bit-12.6-lp152.3.16.1 libpq5-12.6-lp152.3.16.1 libpq5-32bit-12.6-lp152.3.16.1 postgresql12-12.6-lp152.3.16.1 postgresql12-contrib-12.6-lp152.3.16.1 postgresql12-devel-12.6-lp152.3.16.1 postgresql12-docs-12.6-lp152.3.16.1 postgresql12-llvmjit-12.6-lp152.3.16.1 postgresql12-plperl-12.6-lp152.3.16.1 postgresql12-plpython-12.6-lp152.3.16.1 postgresql12-pltcl-12.6-lp152.3.16.1 postgresql12-server-12.6-lp152.3.16.1 postgresql12-server-devel-12.6-lp152.3.16.1 postgresql12-test-12.6-lp152.3.16.1 libecpg6-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 libecpg6-32bit-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 libpq5-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 libpq5-32bit-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-contrib-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-devel-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-docs-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-llvmjit-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-plperl-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-plpython-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-pltcl-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-server-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-server-devel-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 postgresql12-test-12.6-lp152.3.16.1 as a component of openSUSE Leap 15.2 An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read. CVE-2021-3393 openSUSE Leap 15.2:libecpg6-12.6-lp152.3.16.1 openSUSE Leap 15.2:libecpg6-32bit-12.6-lp152.3.16.1 openSUSE Leap 15.2:libpq5-12.6-lp152.3.16.1 openSUSE Leap 15.2:libpq5-32bit-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-contrib-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-devel-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-docs-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-llvmjit-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-plperl-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-plpython-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-pltcl-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-server-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-server-devel-12.6-lp152.3.16.1 openSUSE Leap 15.2:postgresql12-test-12.6-lp152.3.16.1 low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IILVBEHTY5E5NJCJLBHIW7MZUDL25BDR/ https://www.suse.com/security/cve/CVE-2021-3393.html CVE-2021-3393 https://bugzilla.suse.com/1182040 SUSE Bug 1182040