postgresql15-15.4-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13243 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z postgresql15-15.4-2.1 on GA media These are all security issues fixed in the postgresql15-15.4-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13243 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-25694/ SUSE CVE CVE-2020-25694 page https://www.suse.com/security/cve/CVE-2020-25695/ SUSE CVE CVE-2020-25695 page https://www.suse.com/security/cve/CVE-2020-25696/ SUSE CVE CVE-2020-25696 page https://www.suse.com/security/cve/CVE-2021-20229/ SUSE CVE CVE-2021-20229 page https://www.suse.com/security/cve/CVE-2021-23214/ SUSE CVE CVE-2021-23214 page https://www.suse.com/security/cve/CVE-2021-23222/ SUSE CVE CVE-2021-23222 page https://www.suse.com/security/cve/CVE-2021-32027/ SUSE CVE CVE-2021-32027 page https://www.suse.com/security/cve/CVE-2021-32028/ SUSE CVE CVE-2021-32028 page https://www.suse.com/security/cve/CVE-2021-32029/ SUSE CVE CVE-2021-32029 page https://www.suse.com/security/cve/CVE-2021-3393/ SUSE CVE CVE-2021-3393 page https://www.suse.com/security/cve/CVE-2022-1552/ SUSE CVE CVE-2022-1552 page openSUSE Tumbleweed postgresql15-15.4-2.1 postgresql15-contrib-15.4-2.1 postgresql15-devel-15.4-2.1 postgresql15-docs-15.4-2.1 postgresql15-llvmjit-15.4-2.1 postgresql15-llvmjit-devel-15.4-2.1 postgresql15-plperl-15.4-2.1 postgresql15-plpython-15.4-2.1 postgresql15-pltcl-15.4-2.1 postgresql15-server-15.4-2.1 postgresql15-server-devel-15.4-2.1 postgresql15-test-15.4-2.1 postgresql15-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-contrib-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-devel-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-docs-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-llvmjit-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-llvmjit-devel-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-plperl-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-plpython-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-pltcl-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-server-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-server-devel-15.4-2.1 as a component of openSUSE Tumbleweed postgresql15-test-15.4-2.1 as a component of openSUSE Tumbleweed A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-25694 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-25694.html CVE-2020-25694 https://bugzilla.suse.com/1178667 SUSE Bug 1178667 https://bugzilla.suse.com/1179870 SUSE Bug 1179870 A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-25695 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-25695.html CVE-2020-25695 https://bugzilla.suse.com/1178666 SUSE Bug 1178666 A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-25696 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-25696.html CVE-2020-25696 https://bugzilla.suse.com/1178668 SUSE Bug 1178668 https://bugzilla.suse.com/1179870 SUSE Bug 1179870 A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality. CVE-2021-20229 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-20229.html CVE-2021-20229 https://bugzilla.suse.com/1182039 SUSE Bug 1182039 When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. CVE-2021-23214 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23214.html CVE-2021-23214 https://bugzilla.suse.com/1192516 SUSE Bug 1192516 A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. CVE-2021-23222 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23222.html CVE-2021-23222 https://bugzilla.suse.com/1192516 SUSE Bug 1192516 A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2021-32027 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32027.html CVE-2021-32027 https://bugzilla.suse.com/1185924 SUSE Bug 1185924 A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality. CVE-2021-32028 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32028.html CVE-2021-32028 https://bugzilla.suse.com/1185925 SUSE Bug 1185925 A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality. CVE-2021-32029 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32029.html CVE-2021-32029 https://bugzilla.suse.com/1185926 SUSE Bug 1185926 An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read. CVE-2021-3393 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3393.html CVE-2021-3393 https://bugzilla.suse.com/1182040 SUSE Bug 1182040 A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity. CVE-2022-1552 openSUSE Tumbleweed:postgresql15-15.4-2.1 openSUSE Tumbleweed:postgresql15-contrib-15.4-2.1 openSUSE Tumbleweed:postgresql15-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-docs-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-15.4-2.1 openSUSE Tumbleweed:postgresql15-llvmjit-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-plperl-15.4-2.1 openSUSE Tumbleweed:postgresql15-plpython-15.4-2.1 openSUSE Tumbleweed:postgresql15-pltcl-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-15.4-2.1 openSUSE Tumbleweed:postgresql15-server-devel-15.4-2.1 openSUSE Tumbleweed:postgresql15-test-15.4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-1552.html CVE-2022-1552 https://bugzilla.suse.com/1199475 SUSE Bug 1199475