postgresql12-12.18-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13668 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z postgresql12-12.18-1.1 on GA media These are all security issues fixed in the postgresql12-12.18-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13668 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13668 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-5868/ SUSE CVE CVE-2023-5868 page https://www.suse.com/security/cve/CVE-2023-5869/ SUSE CVE CVE-2023-5869 page https://www.suse.com/security/cve/CVE-2023-5870/ SUSE CVE CVE-2023-5870 page https://www.suse.com/security/cve/CVE-2024-0985/ SUSE CVE CVE-2024-0985 page openSUSE Tumbleweed postgresql12-12.18-1.1 postgresql12-contrib-12.18-1.1 postgresql12-devel-12.18-1.1 postgresql12-docs-12.18-1.1 postgresql12-llvmjit-12.18-1.1 postgresql12-llvmjit-devel-12.18-1.1 postgresql12-plperl-12.18-1.1 postgresql12-plpython-12.18-1.1 postgresql12-pltcl-12.18-1.1 postgresql12-server-12.18-1.1 postgresql12-server-devel-12.18-1.1 postgresql12-test-12.18-1.1 postgresql12-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-contrib-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-devel-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-docs-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-llvmjit-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-llvmjit-devel-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-plperl-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-plpython-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-pltcl-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-server-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-server-devel-12.18-1.1 as a component of openSUSE Tumbleweed postgresql12-test-12.18-1.1 as a component of openSUSE Tumbleweed A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory. CVE-2023-5868 openSUSE Tumbleweed:postgresql12-12.18-1.1 openSUSE Tumbleweed:postgresql12-contrib-12.18-1.1 openSUSE Tumbleweed:postgresql12-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-docs-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-plperl-12.18-1.1 openSUSE Tumbleweed:postgresql12-plpython-12.18-1.1 openSUSE Tumbleweed:postgresql12-pltcl-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-test-12.18-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5868.html CVE-2023-5868 https://bugzilla.suse.com/1216962 SUSE Bug 1216962 A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory. CVE-2023-5869 openSUSE Tumbleweed:postgresql12-12.18-1.1 openSUSE Tumbleweed:postgresql12-contrib-12.18-1.1 openSUSE Tumbleweed:postgresql12-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-docs-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-plperl-12.18-1.1 openSUSE Tumbleweed:postgresql12-plpython-12.18-1.1 openSUSE Tumbleweed:postgresql12-pltcl-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-test-12.18-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5869.html CVE-2023-5869 https://bugzilla.suse.com/1216961 SUSE Bug 1216961 A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack. CVE-2023-5870 openSUSE Tumbleweed:postgresql12-12.18-1.1 openSUSE Tumbleweed:postgresql12-contrib-12.18-1.1 openSUSE Tumbleweed:postgresql12-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-docs-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-plperl-12.18-1.1 openSUSE Tumbleweed:postgresql12-plpython-12.18-1.1 openSUSE Tumbleweed:postgresql12-pltcl-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-test-12.18-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5870.html CVE-2023-5870 https://bugzilla.suse.com/1216960 SUSE Bug 1216960 Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability. CVE-2024-0985 openSUSE Tumbleweed:postgresql12-12.18-1.1 openSUSE Tumbleweed:postgresql12-contrib-12.18-1.1 openSUSE Tumbleweed:postgresql12-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-docs-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-12.18-1.1 openSUSE Tumbleweed:postgresql12-llvmjit-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-plperl-12.18-1.1 openSUSE Tumbleweed:postgresql12-plpython-12.18-1.1 openSUSE Tumbleweed:postgresql12-pltcl-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-12.18-1.1 openSUSE Tumbleweed:postgresql12-server-devel-12.18-1.1 openSUSE Tumbleweed:postgresql12-test-12.18-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-0985.html CVE-2024-0985 https://bugzilla.suse.com/1219679 SUSE Bug 1219679