Security update for postgresql12 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2200-1 Final 1 1 2023-05-15T10:13:48Z current 2023-05-15T10:13:48Z 2023-05-15T10:13:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql12 This update for postgresql12 fixes the following issues: Updated to version 12.15: - CVE-2023-2454: Fixed an issue where a user having permission to create a schema could hijack the privileges of a security definer function or extension script (bsc#1211228). - CVE-2023-2455: Fixed an issue that could allow a user to see or modify rows that should have been invisible (bsc#1211229). - Internal fixes (bsc#1210303). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2200,SUSE-SLE-SDK-12-SP5-2023-2200,SUSE-SLE-SERVER-12-SP5-2023-2200 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232200-1/ Link for SUSE-SU-2023:2200-1 https://lists.suse.com/pipermail/sle-updates/2023-May/029402.html E-Mail link for SUSE-SU-2023:2200-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1210303 SUSE Bug 1210303 https://bugzilla.suse.com/1211228 SUSE Bug 1211228 https://bugzilla.suse.com/1211229 SUSE Bug 1211229 https://www.suse.com/security/cve/CVE-2023-2454/ SUSE CVE CVE-2023-2454 page https://www.suse.com/security/cve/CVE-2023-2455/ SUSE CVE CVE-2023-2455 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 postgresql12-12.15-3.39.1 postgresql12-contrib-12.15-3.39.1 postgresql12-devel-12.15-3.39.1 postgresql12-docs-12.15-3.39.1 postgresql12-llvmjit-devel-12.15-3.39.1 postgresql12-plperl-12.15-3.39.1 postgresql12-plpython-12.15-3.39.1 postgresql12-pltcl-12.15-3.39.1 postgresql12-server-12.15-3.39.1 postgresql12-server-devel-12.15-3.39.1 postgresql12-test-12.15-3.39.1 postgresql12-12.15-3.39.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-contrib-12.15-3.39.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-docs-12.15-3.39.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-plperl-12.15-3.39.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-plpython-12.15-3.39.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-pltcl-12.15-3.39.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-server-12.15-3.39.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-12.15-3.39.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-contrib-12.15-3.39.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-docs-12.15-3.39.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-plperl-12.15-3.39.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-plpython-12.15-3.39.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-pltcl-12.15-3.39.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-server-12.15-3.39.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-devel-12.15-3.39.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 postgresql12-server-devel-12.15-3.39.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code. CVE-2023-2454 SUSE Linux Enterprise Server 12 SP5:postgresql12-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-contrib-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-docs-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-plperl-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-plpython-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-pltcl-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-server-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-contrib-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-docs-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-plperl-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-plpython-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-pltcl-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-server-12.15-3.39.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql12-devel-12.15-3.39.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql12-server-devel-12.15-3.39.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232200-1/ https://www.suse.com/security/cve/CVE-2023-2454.html CVE-2023-2454 https://bugzilla.suse.com/1211228 SUSE Bug 1211228 Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. CVE-2023-2455 SUSE Linux Enterprise Server 12 SP5:postgresql12-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-contrib-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-docs-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-plperl-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-plpython-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-pltcl-12.15-3.39.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-server-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-contrib-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-docs-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-plperl-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-plpython-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-pltcl-12.15-3.39.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-server-12.15-3.39.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql12-devel-12.15-3.39.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql12-server-devel-12.15-3.39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232200-1/ https://www.suse.com/security/cve/CVE-2023-2455.html CVE-2023-2455 https://bugzilla.suse.com/1211229 SUSE Bug 1211229