postgresql-jdbc-42.2.25-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12126-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z postgresql-jdbc-42.2.25-2.1 on GA media These are all security issues fixed in the postgresql-jdbc-42.2.25-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12126 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-26520/ SUSE CVE CVE-2022-26520 page openSUSE Tumbleweed postgresql-jdbc-42.2.25-2.1 postgresql-jdbc-javadoc-42.2.25-2.1 postgresql-jdbc-42.2.25-2.1 as a component of openSUSE Tumbleweed postgresql-jdbc-javadoc-42.2.25-2.1 as a component of openSUSE Tumbleweed ** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties. CVE-2022-26520 openSUSE Tumbleweed:postgresql-jdbc-42.2.25-2.1 openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.2.25-2.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26520.html CVE-2022-26520 https://bugzilla.suse.com/1197356 SUSE Bug 1197356