Security update for postgresql16 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3159-1 Final 1 1 2024-09-06T10:15:54Z current 2024-09-06T10:15:54Z 2024-09-06T10:15:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql16 This update for postgresql16 fixes the following issues: - Upgrade to 16.4 (bsc#1229013) - CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013) - CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See the release notes for the steps that have to be taken to fix existing PostgreSQL instances. (bsc#1224038) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/open-webui:0-2024-3159,Container suse/manager/5.0/x86_64/server-migration-14-16:latest-2024-3159,Container suse/manager/5.0/x86_64/server:latest-2024-3159,Container suse/postgres:16-2024-3159,Container suse/postgres:latest-2024-3159,Image server-image-2024-3159,Image server-migration-14-16-image-2024-3159,SUSE-2024-3159,SUSE-SLE-Module-Basesystem-15-SP6-2024-3159,SUSE-SLE-Module-Server-Applications-15-SP6-2024-3159,openSUSE-SLE-15.6-2024-3159 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243159-1/ Link for SUSE-SU-2024:3159-1 https://lists.suse.com/pipermail/sle-updates/2024-September/036804.html E-Mail link for SUSE-SU-2024:3159-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1224038 SUSE Bug 1224038 https://bugzilla.suse.com/1224051 SUSE Bug 1224051 https://bugzilla.suse.com/1229013 SUSE Bug 1229013 https://www.suse.com/security/cve/CVE-2024-4317/ SUSE CVE CVE-2024-4317 page https://www.suse.com/security/cve/CVE-2024-7348/ SUSE CVE CVE-2024-7348 page Container containers/open-webui:0 Container suse/manager/5.0/x86_64/server-migration-14-16:latest Container suse/manager/5.0/x86_64/server:latest Container suse/postgres:16 Container suse/postgres:latest Image server-image Image server-migration-14-16-image SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Server Applications 15 SP6 openSUSE Leap 15.6 libpq5-16.4-150600.16.5.1 postgresql16-16.4-150600.16.5.1 postgresql16-contrib-16.4-150600.16.5.1 postgresql16-server-16.4-150600.16.5.1 libecpg6-16.4-150600.16.5.1 libecpg6-32bit-16.4-150600.16.5.1 libecpg6-64bit-16.4-150600.16.5.1 libpq5-32bit-16.4-150600.16.5.1 libpq5-64bit-16.4-150600.16.5.1 postgresql16-devel-16.4-150600.16.5.1 postgresql16-devel-mini-16.4-150600.16.5.1 postgresql16-docs-16.4-150600.16.5.1 postgresql16-llvmjit-16.4-150600.16.5.1 postgresql16-llvmjit-devel-16.4-150600.16.5.1 postgresql16-plperl-16.4-150600.16.5.1 postgresql16-plpython-16.4-150600.16.5.1 postgresql16-pltcl-16.4-150600.16.5.1 postgresql16-server-devel-16.4-150600.16.5.1 postgresql16-test-16.4-150600.16.5.1 libpq5-16.4-150600.16.5.1 as a component of Container containers/open-webui:0 libpq5-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server-migration-14-16:latest postgresql16-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server-migration-14-16:latest postgresql16-contrib-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server-migration-14-16:latest postgresql16-server-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server-migration-14-16:latest libpq5-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server:latest postgresql16-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server:latest postgresql16-contrib-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server:latest postgresql16-server-16.4-150600.16.5.1 as a component of Container suse/manager/5.0/x86_64/server:latest libpq5-16.4-150600.16.5.1 as a component of Container suse/postgres:16 postgresql16-16.4-150600.16.5.1 as a component of Container suse/postgres:16 postgresql16-server-16.4-150600.16.5.1 as a component of Container suse/postgres:16 libpq5-16.4-150600.16.5.1 as a component of Container suse/postgres:latest libpq5-16.4-150600.16.5.1 as a component of Image server-image postgresql16-16.4-150600.16.5.1 as a component of Image server-image postgresql16-contrib-16.4-150600.16.5.1 as a component of Image server-image postgresql16-server-16.4-150600.16.5.1 as a component of Image server-image libpq5-16.4-150600.16.5.1 as a component of Image server-migration-14-16-image postgresql16-16.4-150600.16.5.1 as a component of Image server-migration-14-16-image postgresql16-contrib-16.4-150600.16.5.1 as a component of Image server-migration-14-16-image postgresql16-server-16.4-150600.16.5.1 as a component of Image server-migration-14-16-image libpq5-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libpq5-32bit-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 postgresql16-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libecpg6-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-contrib-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-devel-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-docs-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-plperl-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-plpython-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-pltcl-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-server-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 postgresql16-server-devel-16.4-150600.16.5.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 libecpg6-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 libecpg6-32bit-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 libpq5-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 libpq5-32bit-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-contrib-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-devel-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-docs-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-llvmjit-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-llvmjit-devel-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-plperl-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-plpython-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-pltcl-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-server-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-server-devel-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 postgresql16-test-16.4-150600.16.5.1 as a component of openSUSE Leap 15.6 Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected. CVE-2024-4317 Container containers/open-webui:0:libpq5-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:libpq5-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:postgresql16-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:postgresql16-contrib-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:postgresql16-server-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:libpq5-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:postgresql16-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:postgresql16-contrib-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:postgresql16-server-16.4-150600.16.5.1 Container suse/postgres:16:libpq5-16.4-150600.16.5.1 Container suse/postgres:16:postgresql16-16.4-150600.16.5.1 Container suse/postgres:16:postgresql16-server-16.4-150600.16.5.1 Container suse/postgres:latest:libpq5-16.4-150600.16.5.1 Image server-image:libpq5-16.4-150600.16.5.1 Image server-image:postgresql16-16.4-150600.16.5.1 Image server-image:postgresql16-contrib-16.4-150600.16.5.1 Image server-image:postgresql16-server-16.4-150600.16.5.1 Image server-migration-14-16-image:libpq5-16.4-150600.16.5.1 Image server-migration-14-16-image:postgresql16-16.4-150600.16.5.1 Image server-migration-14-16-image:postgresql16-contrib-16.4-150600.16.5.1 Image server-migration-14-16-image:postgresql16-server-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libpq5-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libpq5-32bit-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:postgresql16-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:libecpg6-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-contrib-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-devel-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-docs-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-plperl-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-plpython-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-pltcl-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-server-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-server-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:libecpg6-16.4-150600.16.5.1 openSUSE Leap 15.6:libecpg6-32bit-16.4-150600.16.5.1 openSUSE Leap 15.6:libpq5-16.4-150600.16.5.1 openSUSE Leap 15.6:libpq5-32bit-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-contrib-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-docs-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-llvmjit-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-llvmjit-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-plperl-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-plpython-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-pltcl-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-server-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-server-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-test-16.4-150600.16.5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243159-1/ https://www.suse.com/security/cve/CVE-2024-4317.html CVE-2024-4317 https://bugzilla.suse.com/1224038 SUSE Bug 1224038 Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. CVE-2024-7348 Container containers/open-webui:0:libpq5-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:libpq5-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:postgresql16-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:postgresql16-contrib-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server-migration-14-16:latest:postgresql16-server-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:libpq5-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:postgresql16-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:postgresql16-contrib-16.4-150600.16.5.1 Container suse/manager/5.0/x86_64/server:latest:postgresql16-server-16.4-150600.16.5.1 Container suse/postgres:16:libpq5-16.4-150600.16.5.1 Container suse/postgres:16:postgresql16-16.4-150600.16.5.1 Container suse/postgres:16:postgresql16-server-16.4-150600.16.5.1 Container suse/postgres:latest:libpq5-16.4-150600.16.5.1 Image server-image:libpq5-16.4-150600.16.5.1 Image server-image:postgresql16-16.4-150600.16.5.1 Image server-image:postgresql16-contrib-16.4-150600.16.5.1 Image server-image:postgresql16-server-16.4-150600.16.5.1 Image server-migration-14-16-image:libpq5-16.4-150600.16.5.1 Image server-migration-14-16-image:postgresql16-16.4-150600.16.5.1 Image server-migration-14-16-image:postgresql16-contrib-16.4-150600.16.5.1 Image server-migration-14-16-image:postgresql16-server-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libpq5-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libpq5-32bit-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:postgresql16-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:libecpg6-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-contrib-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-devel-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-docs-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-plperl-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-plpython-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-pltcl-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-server-16.4-150600.16.5.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:postgresql16-server-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:libecpg6-16.4-150600.16.5.1 openSUSE Leap 15.6:libecpg6-32bit-16.4-150600.16.5.1 openSUSE Leap 15.6:libpq5-16.4-150600.16.5.1 openSUSE Leap 15.6:libpq5-32bit-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-contrib-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-docs-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-llvmjit-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-llvmjit-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-plperl-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-plpython-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-pltcl-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-server-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-server-devel-16.4-150600.16.5.1 openSUSE Leap 15.6:postgresql16-test-16.4-150600.16.5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243159-1/ https://www.suse.com/security/cve/CVE-2024-7348.html CVE-2024-7348 https://bugzilla.suse.com/1229013 SUSE Bug 1229013