Security update for postgresql12 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1243-1 Final 1 1 2020-08-21T22:20:45Z current 2020-08-21T22:20:45Z 2020-08-21T22:20:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql12 This update for postgresql12 fixes the following issues: - update to 12.4: * CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers * CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure. * https://www.postgresql.org/docs/12/release-12-4.html This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/25COAMDPKIB3AWDKP6IEG35QG2IFIZ7W/ E-Mail link for openSUSE-SU-2020:1243-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1175193 SUSE Bug 1175193 https://bugzilla.suse.com/1175194 SUSE Bug 1175194 https://www.suse.com/security/cve/CVE-2020-14349/ SUSE CVE CVE-2020-14349 page https://www.suse.com/security/cve/CVE-2020-14350/ SUSE CVE CVE-2020-14350 page openSUSE Leap 15.1 libecpg6-12.4-lp151.6.1 libpq5-12.4-lp151.6.1 postgresql12-12.4-lp151.6.1 postgresql12-contrib-12.4-lp151.6.1 postgresql12-devel-12.4-lp151.6.1 postgresql12-docs-12.4-lp151.6.1 postgresql12-llvmjit-12.4-lp151.6.1 postgresql12-plperl-12.4-lp151.6.1 postgresql12-plpython-12.4-lp151.6.1 postgresql12-pltcl-12.4-lp151.6.1 postgresql12-server-12.4-lp151.6.1 postgresql12-server-devel-12.4-lp151.6.1 postgresql12-test-12.4-lp151.6.1 libecpg6-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 libpq5-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-contrib-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-devel-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-docs-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-llvmjit-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-plperl-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-plpython-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-pltcl-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-server-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-server-devel-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 postgresql12-test-12.4-lp151.6.1 as a component of openSUSE Leap 15.1 It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. CVE-2020-14349 openSUSE Leap 15.1:libecpg6-12.4-lp151.6.1 openSUSE Leap 15.1:libpq5-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-contrib-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-devel-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-docs-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-llvmjit-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-plperl-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-plpython-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-pltcl-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-server-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-server-devel-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-test-12.4-lp151.6.1 important 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/25COAMDPKIB3AWDKP6IEG35QG2IFIZ7W/ https://www.suse.com/security/cve/CVE-2020-14349.html CVE-2020-14349 https://bugzilla.suse.com/1175193 SUSE Bug 1175193 https://bugzilla.suse.com/1176151 SUSE Bug 1176151 https://bugzilla.suse.com/1179499 SUSE Bug 1179499 https://bugzilla.suse.com/1179870 SUSE Bug 1179870 It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. CVE-2020-14350 openSUSE Leap 15.1:libecpg6-12.4-lp151.6.1 openSUSE Leap 15.1:libpq5-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-contrib-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-devel-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-docs-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-llvmjit-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-plperl-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-plpython-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-pltcl-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-server-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-server-devel-12.4-lp151.6.1 openSUSE Leap 15.1:postgresql12-test-12.4-lp151.6.1 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/25COAMDPKIB3AWDKP6IEG35QG2IFIZ7W/ https://www.suse.com/security/cve/CVE-2020-14350.html CVE-2020-14350 https://bugzilla.suse.com/1175194 SUSE Bug 1175194 https://bugzilla.suse.com/1176151 SUSE Bug 1176151 https://bugzilla.suse.com/1179115 SUSE Bug 1179115 https://bugzilla.suse.com/1179499 SUSE Bug 1179499 https://bugzilla.suse.com/1179870 SUSE Bug 1179870