Security update for postgresql91 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:0639-1 Final 1 1 2015-03-02T17:37:06Z current 2015-03-02T17:37:06Z 2015-03-02T17:37:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql91 The PostgreSQL database server was updated to 9.1.15, fixing bugs and security issues: * Fix buffer overruns in to_char() (CVE-2015-0241). * Fix buffer overrun in replacement *printf() functions (CVE-2015-0242). * Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243). * Fix possible loss of frontend/backend protocol synchronization after an error (CVE-2015-0244). * Fix information leak via constraint-violation error messages (CVE-2014-8161). For a comprehensive list of fixes, please refer to the following release notes: * http://www.postgresql.org/docs/9.1/static/release-9-1-15.html <http://www.postgresql.org/docs/9.1/static/release-9-1-15.html> * http://www.postgresql.org/docs/9.1/static/release-9-1-14.html <http://www.postgresql.org/docs/9.1/static/release-9-1-14.html> * http://www.postgresql.org/docs/9.1/static/release-9-1-13.html <http://www.postgresql.org/docs/9.1/static/release-9-1-13.html> Security Issues: * CVE-2015-0241 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241> * CVE-2015-0243 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243> * CVE-2015-0244 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244> * CVE-2014-8161 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161> The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp3-postgresql91-201503,sledsp3-postgresql91-201503,sleman21-postgresql91-201503,slessp3-postgresql91-201503 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20150639-1/ Link for SUSE-SU-2015:0639-1 https://lists.suse.com/pipermail/sle-security-updates/2015-March/001321.html E-Mail link for SUSE-SU-2015:0639-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/916953 SUSE Bug 916953 https://www.suse.com/security/cve/CVE-2014-8161/ SUSE CVE CVE-2014-8161 page https://www.suse.com/security/cve/CVE-2015-0241/ SUSE CVE CVE-2015-0241 page https://www.suse.com/security/cve/CVE-2015-0243/ SUSE CVE CVE-2015-0243 page https://www.suse.com/security/cve/CVE-2015-0244/ SUSE CVE CVE-2015-0244 page SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server for SAP Applications 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Manager 2.1 postgresql91-devel-9.1.15-0.3.1 libecpg6-9.1.15-0.3.1 libpq5-9.1.15-0.3.1 libpq5-32bit-9.1.15-0.3.1 postgresql91-9.1.15-0.3.1 postgresql91-docs-9.1.15-0.3.1 postgresql91-pltcl-9.1.15-0.3.1 postgresql91-contrib-9.1.15-0.3.1 postgresql91-server-9.1.15-0.3.1 libecpg6-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Desktop 11 SP3 libpq5-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Desktop 11 SP3 libpq5-32bit-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Desktop 11 SP3 postgresql91-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Desktop 11 SP3 postgresql91-docs-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Desktop 11 SP3 libecpg6-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3 libpq5-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3 libpq5-32bit-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3 postgresql91-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3 postgresql91-contrib-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3 postgresql91-docs-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3 postgresql91-server-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3 libecpg6-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA libpq5-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA libpq5-32bit-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA postgresql91-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA postgresql91-contrib-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA postgresql91-docs-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA postgresql91-server-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA libecpg6-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 libpq5-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 libpq5-32bit-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 postgresql91-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 postgresql91-contrib-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 postgresql91-docs-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 postgresql91-server-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 postgresql91-devel-9.1.15-0.3.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP3 postgresql91-pltcl-9.1.15-0.3.1 as a component of SUSE Manager 2.1 PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message. CVE-2014-8161 SUSE Linux Enterprise Desktop 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Software Development Kit 11 SP3:postgresql91-devel-9.1.15-0.3.1 SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150639-1/ https://www.suse.com/security/cve/CVE-2014-8161.html CVE-2014-8161 https://bugzilla.suse.com/916953 SUSE Bug 916953 The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric formatting template, which triggers a buffer over-read, or (2) crafted timestamp formatting template, which triggers a buffer overflow. CVE-2015-0241 SUSE Linux Enterprise Desktop 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Software Development Kit 11 SP3:postgresql91-devel-9.1.15-0.3.1 SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150639-1/ https://www.suse.com/security/cve/CVE-2015-0241.html CVE-2015-0241 https://bugzilla.suse.com/916953 SUSE Bug 916953 Multiple buffer overflows in contrib/pgcrypto in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. CVE-2015-0243 SUSE Linux Enterprise Desktop 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Software Development Kit 11 SP3:postgresql91-devel-9.1.15-0.3.1 SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150639-1/ https://www.suse.com/security/cve/CVE-2015-0243.html CVE-2015-0243 https://bugzilla.suse.com/916953 SUSE Bug 916953 PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation. CVE-2015-0244 SUSE Linux Enterprise Desktop 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Desktop 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libecpg6-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-32bit-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:libpq5-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-contrib-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-docs-9.1.15-0.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:postgresql91-server-9.1.15-0.3.1 SUSE Linux Enterprise Software Development Kit 11 SP3:postgresql91-devel-9.1.15-0.3.1 SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150639-1/ https://www.suse.com/security/cve/CVE-2015-0244.html CVE-2015-0244 https://bugzilla.suse.com/916953 SUSE Bug 916953