Security update for postgresql93
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2016:2425-1
Final
1
1
2016-09-30T13:09:17Z
current
2016-09-30T13:09:17Z
2016-09-30T13:09:17Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for postgresql93
The postgresql server postgresql93 was updated to 9.3.14 fixes the following issues:
Update to version 9.3.14:
* Fix possible mis-evaluation of nested CASE-WHEN expressions
(CVE-2016-5423, boo#993454)
* Fix client programs' handling of special characters in database
and role names (CVE-2016-5424, boo#993453)
* Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied
to nested composite values
* Make the inet and cidr data types properly reject IPv6
addresses with too many colon-separated fields
* Prevent crash in close_ps() (the point ## lseg operator) for
NaN input coordinates
* Fix several one-byte buffer over-reads in to_number()
* Avoid unsafe intermediate state during expensive paths through
heap_update()
* For the other bug fixes, see the release notes:
https://www.postgresql.org/docs/9.3/static/release-9-3-14.html
Update to version 9.3.13:
This update fixes several problems which caused downtime for
users, including:
- Clearing the OpenSSL error queue before OpenSSL calls,
preventing errors in SSL connections, particularly when using
the Python, Ruby or PHP OpenSSL wrappers
- Fixed the "failed to build N-way joins" planner error
- Fixed incorrect handling of equivalence in multilevel nestloop
query plans, which could emit rows which didn't match the WHERE
clause.
- Prevented two memory leaks with using GIN indexes, including a
potential index corruption risk.
The release also includes many other bug fixes for reported
issues, many of which affect all supported versions:
- Fix corner-case parser failures occurring when
operator_precedence_warning is turned on
- Prevent possible misbehavior of TH, th, and Y,YYY format codes
in to_timestamp()
- Correct dumping of VIEWs and RULEs which use ANY (array) in a
subselect
- Disallow newlines in ALTER SYSTEM parameter values
- Avoid possible misbehavior after failing to remove a tablespace
symlink
- Fix crash in logical decoding on alignment-picky platforms
- Avoid repeated requests for feedback from receiver while
shutting down walsender
- Multiple fixes for pg_upgrade
- Support building with Visual Studio 2015
- This update also contains tzdata release 2016d, with updates
for Russia, Venezuela, Kirov, and Tomsk.
http://www.postgresql.org/docs/current/static/release-9-3-13.html
Update to version 9.3.12:
- Fix two bugs in indexed ROW() comparisons
- Avoid data loss due to renaming files
- Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE
- Fix bugs in multiple json_ and jsonb_ functions
- Log lock waits for INSERT ON CONFLICT correctly
- Ignore recovery_min_apply_delay until reaching a consistent
state
- Fix issue with pg_subtrans XID wraparound
- Fix assorted bugs in Logical Decoding
- Fix planner error with nested security barrier views
- Prevent memory leak in GIN indexes
- Fix two issues with ispell dictionaries
- Avoid a crash on old Windows versions
- Skip creating an erroneous delete script in pg_upgrade
- Correctly translate empty arrays into PL/Perl
- Make PL/Python cope with identifier names
For the full release notes, see:
http://www.postgresql.org/docs/9.4/static/release-9-3-12.html
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00037.html
E-Mail link for openSUSE-SU-2016:2425-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE 13.2
libecpg6-9.3.14-2.13.1
libecpg6-32bit-9.3.14-2.13.1
libecpg6-debuginfo-9.3.14-2.13.1
libecpg6-debuginfo-32bit-9.3.14-2.13.1
libpq5-9.3.14-2.13.1
libpq5-32bit-9.3.14-2.13.1
libpq5-debuginfo-9.3.14-2.13.1
libpq5-debuginfo-32bit-9.3.14-2.13.1
postgresql93-9.3.14-2.13.1
postgresql93-contrib-9.3.14-2.13.1
postgresql93-contrib-debuginfo-9.3.14-2.13.1
postgresql93-debuginfo-9.3.14-2.13.1
postgresql93-debugsource-9.3.14-2.13.1
postgresql93-devel-9.3.14-2.13.1
postgresql93-devel-debuginfo-9.3.14-2.13.1
postgresql93-docs-9.3.14-2.13.1
postgresql93-libs-9.3.14-2.13.1
postgresql93-libs-debugsource-9.3.14-2.13.1
postgresql93-plperl-9.3.14-2.13.1
postgresql93-plperl-debuginfo-9.3.14-2.13.1
postgresql93-plpython-9.3.14-2.13.1
postgresql93-plpython-debuginfo-9.3.14-2.13.1
postgresql93-pltcl-9.3.14-2.13.1
postgresql93-pltcl-debuginfo-9.3.14-2.13.1
postgresql93-server-9.3.14-2.13.1
postgresql93-server-debuginfo-9.3.14-2.13.1
postgresql93-test-9.3.14-2.13.1
libecpg6-9.3.14-2.13.1 as a component of openSUSE 13.2
libecpg6-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2
libecpg6-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
libecpg6-debuginfo-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2
libpq5-9.3.14-2.13.1 as a component of openSUSE 13.2
libpq5-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2
libpq5-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
libpq5-debuginfo-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-contrib-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-contrib-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-debugsource-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-devel-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-devel-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-docs-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-libs-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-libs-debugsource-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-plperl-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-plperl-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-plpython-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-plpython-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-pltcl-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-pltcl-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-server-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-server-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2
postgresql93-test-9.3.14-2.13.1 as a component of openSUSE 13.2
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
CVE-2016-5423
openSUSE 13.2:libecpg6-32bit-9.3.14-2.13.1
openSUSE 13.2:libecpg6-9.3.14-2.13.1
openSUSE 13.2:libecpg6-debuginfo-32bit-9.3.14-2.13.1
openSUSE 13.2:libecpg6-debuginfo-9.3.14-2.13.1
openSUSE 13.2:libpq5-32bit-9.3.14-2.13.1
openSUSE 13.2:libpq5-9.3.14-2.13.1
openSUSE 13.2:libpq5-debuginfo-32bit-9.3.14-2.13.1
openSUSE 13.2:libpq5-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-9.3.14-2.13.1
openSUSE 13.2:postgresql93-contrib-9.3.14-2.13.1
openSUSE 13.2:postgresql93-contrib-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-debugsource-9.3.14-2.13.1
openSUSE 13.2:postgresql93-devel-9.3.14-2.13.1
openSUSE 13.2:postgresql93-devel-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-docs-9.3.14-2.13.1
openSUSE 13.2:postgresql93-libs-9.3.14-2.13.1
openSUSE 13.2:postgresql93-libs-debugsource-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plperl-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plperl-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plpython-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plpython-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-pltcl-9.3.14-2.13.1
openSUSE 13.2:postgresql93-pltcl-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-server-9.3.14-2.13.1
openSUSE 13.2:postgresql93-server-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-test-9.3.14-2.13.1
important
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Please Install the update.
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00037.html
https://www.suse.com/security/cve/CVE-2016-5423.html
CVE-2016-5423
https://bugzilla.suse.com/1041981
SUSE Bug 1041981
https://bugzilla.suse.com/1042497
SUSE Bug 1042497
https://bugzilla.suse.com/993454
SUSE Bug 993454
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
CVE-2016-5424
openSUSE 13.2:libecpg6-32bit-9.3.14-2.13.1
openSUSE 13.2:libecpg6-9.3.14-2.13.1
openSUSE 13.2:libecpg6-debuginfo-32bit-9.3.14-2.13.1
openSUSE 13.2:libecpg6-debuginfo-9.3.14-2.13.1
openSUSE 13.2:libpq5-32bit-9.3.14-2.13.1
openSUSE 13.2:libpq5-9.3.14-2.13.1
openSUSE 13.2:libpq5-debuginfo-32bit-9.3.14-2.13.1
openSUSE 13.2:libpq5-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-9.3.14-2.13.1
openSUSE 13.2:postgresql93-contrib-9.3.14-2.13.1
openSUSE 13.2:postgresql93-contrib-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-debugsource-9.3.14-2.13.1
openSUSE 13.2:postgresql93-devel-9.3.14-2.13.1
openSUSE 13.2:postgresql93-devel-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-docs-9.3.14-2.13.1
openSUSE 13.2:postgresql93-libs-9.3.14-2.13.1
openSUSE 13.2:postgresql93-libs-debugsource-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plperl-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plperl-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plpython-9.3.14-2.13.1
openSUSE 13.2:postgresql93-plpython-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-pltcl-9.3.14-2.13.1
openSUSE 13.2:postgresql93-pltcl-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-server-9.3.14-2.13.1
openSUSE 13.2:postgresql93-server-debuginfo-9.3.14-2.13.1
openSUSE 13.2:postgresql93-test-9.3.14-2.13.1
important
6.5
AV:L/AC:M/Au:S/C:C/I:C/A:C
Please Install the update.
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00037.html
https://www.suse.com/security/cve/CVE-2016-5424.html
CVE-2016-5424
https://bugzilla.suse.com/1041981
SUSE Bug 1041981
https://bugzilla.suse.com/1042497
SUSE Bug 1042497
https://bugzilla.suse.com/993453
SUSE Bug 993453