Security update for postgresql15 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03018-1 Final 1 1 2025-08-29T08:31:14Z current 2025-08-29T08:31:14Z 2025-08-29T08:31:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql15 This update for postgresql15 fixes the following issues: Upgrade to 15.14: - CVE-2025-8713: optimizer statistics can expose sampled data within a view, partition, or child table (bsc#1248120). - CVE-2025-8714: untrusted data inclusion in `pg_dump` lets superuser of origin server execute arbitrary code in psql client (bsc#1248122). - CVE-2025-8715: improper neutralization of newlines in `pg_dump` allows execution of arbitrary code in psql client and in restore target server (bsc#1248119). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3018,SUSE-SLE-Module-Legacy-15-SP6-2025-3018,SUSE-SLE-Module-Legacy-15-SP7-2025-3018,openSUSE-SLE-15.6-2025-3018 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503018-1/ Link for SUSE-SU-2025:03018-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041421.html E-Mail link for SUSE-SU-2025:03018-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248119 SUSE Bug 1248119 https://bugzilla.suse.com/1248120 SUSE Bug 1248120 https://bugzilla.suse.com/1248122 SUSE Bug 1248122 https://www.suse.com/security/cve/CVE-2025-8713/ SUSE CVE CVE-2025-8713 page https://www.suse.com/security/cve/CVE-2025-8714/ SUSE CVE CVE-2025-8714 page https://www.suse.com/security/cve/CVE-2025-8715/ SUSE CVE CVE-2025-8715 page SUSE Linux Enterprise Module for Legacy 15 SP6 SUSE Linux Enterprise Module for Legacy 15 SP7 openSUSE Leap 15.6 postgresql15-15.14-150600.16.20.1 postgresql15-contrib-15.14-150600.16.20.1 postgresql15-devel-15.14-150600.16.20.1 postgresql15-docs-15.14-150600.16.20.1 postgresql15-llvmjit-15.14-150600.16.20.1 postgresql15-llvmjit-devel-15.14-150600.16.20.1 postgresql15-plperl-15.14-150600.16.20.1 postgresql15-plpython-15.14-150600.16.20.1 postgresql15-pltcl-15.14-150600.16.20.1 postgresql15-server-15.14-150600.16.20.1 postgresql15-server-devel-15.14-150600.16.20.1 postgresql15-test-15.14-150600.16.20.1 postgresql15-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-contrib-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-devel-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-docs-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-plperl-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-plpython-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-pltcl-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-server-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-server-devel-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql15-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql15-contrib-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql15-devel-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql15-server-15.14-150600.16.20.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql15-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-contrib-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-devel-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-docs-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-llvmjit-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-llvmjit-devel-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-plperl-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-plpython-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-pltcl-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-server-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-server-devel-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 postgresql15-test-15.14-150600.16.20.1 as a component of openSUSE Leap 15.6 PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. CVE-2025-8713 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-contrib-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-docs-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-plperl-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-plpython-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-pltcl-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-server-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-server-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-contrib-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-server-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-contrib-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-docs-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-llvmjit-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-llvmjit-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-plperl-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-plpython-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-pltcl-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-server-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-server-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-test-15.14-150600.16.20.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503018-1/ https://www.suse.com/security/cve/CVE-2025-8713.html CVE-2025-8713 https://bugzilla.suse.com/1248120 SUSE Bug 1248120 Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. CVE-2025-8714 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-contrib-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-docs-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-plperl-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-plpython-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-pltcl-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-server-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-server-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-contrib-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-server-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-contrib-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-docs-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-llvmjit-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-llvmjit-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-plperl-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-plpython-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-pltcl-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-server-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-server-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-test-15.14-150600.16.20.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503018-1/ https://www.suse.com/security/cve/CVE-2025-8714.html CVE-2025-8714 https://bugzilla.suse.com/1248122 SUSE Bug 1248122 Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it. CVE-2025-8715 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-contrib-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-docs-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-plperl-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-plpython-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-pltcl-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-server-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql15-server-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-contrib-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-devel-15.14-150600.16.20.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql15-server-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-contrib-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-docs-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-llvmjit-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-llvmjit-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-plperl-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-plpython-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-pltcl-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-server-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-server-devel-15.14-150600.16.20.1 openSUSE Leap 15.6:postgresql15-test-15.14-150600.16.20.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503018-1/ https://www.suse.com/security/cve/CVE-2025-8715.html CVE-2025-8715 https://bugzilla.suse.com/1248119 SUSE Bug 1248119