Security update for postgresql94 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0081-1 Final 1 1 2018-01-12T14:46:25Z current 2018-01-12T14:46:25Z 2018-01-12T14:46:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql94 This update for postgresql94 fixes the following issues: Security issues fixed: - CVE-2017-15098: Fix crash due to rowtype mismatch in json{b}_populate_recordset() (bsc#1067844). - CVE-2017-12172: Start scripts permit database administrator to modify root-owned files. This issue did not affect SUSE (bsc#1062538). Bug fixes: - Update to version 9.4.15 * https://www.postgresql.org/docs/9.4/static/release-9-4-15.html * https://www.postgresql.org/docs/9.4/static/release-9-4-14.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP2-2018-63,SUSE-SLE-RPI-12-SP2-2018-63,SUSE-SLE-SDK-12-SP2-2018-63,SUSE-SLE-SERVER-12-SP2-2018-63 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180081-1/ Link for SUSE-SU-2018:0081-1 https://lists.suse.com/pipermail/sle-security-updates/2018-January/003597.html E-Mail link for SUSE-SU-2018:0081-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1062538 SUSE Bug 1062538 https://bugzilla.suse.com/1067844 SUSE Bug 1067844 https://www.suse.com/security/cve/CVE-2017-12172/ SUSE CVE CVE-2017-12172 page https://www.suse.com/security/cve/CVE-2017-15098/ SUSE CVE CVE-2017-15098 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP2 postgresql94-9.4.15-21.13.1 postgresql94-contrib-9.4.15-21.13.1 postgresql94-docs-9.4.15-21.13.1 postgresql94-server-9.4.15-21.13.1 postgresql94-devel-9.4.15-21.13.1 postgresql94-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 postgresql94-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server 12 SP2 postgresql94-contrib-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server 12 SP2 postgresql94-docs-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server 12 SP2 postgresql94-server-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server 12 SP2 postgresql94-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 postgresql94-contrib-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 postgresql94-docs-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 postgresql94-server-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 postgresql94-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 postgresql94-contrib-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 postgresql94-docs-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 postgresql94-server-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 postgresql94-devel-9.4.15-21.13.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server. CVE-2017-12172 SUSE Linux Enterprise Desktop 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-contrib-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-docs-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-server-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-contrib-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-docs-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-server-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-contrib-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-docs-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-server-9.4.15-21.13.1 SUSE Linux Enterprise Software Development Kit 12 SP2:postgresql94-devel-9.4.15-21.13.1 important 6 AV:L/AC:H/Au:S/C:C/I:C/A:C 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180081-1/ https://www.suse.com/security/cve/CVE-2017-12172.html CVE-2017-12172 https://bugzilla.suse.com/1062538 SUSE Bug 1062538 https://bugzilla.suse.com/1062722 SUSE Bug 1062722 https://bugzilla.suse.com/1185814 SUSE Bug 1185814 Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory. CVE-2017-15098 SUSE Linux Enterprise Desktop 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-contrib-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-docs-9.4.15-21.13.1 SUSE Linux Enterprise Server 12 SP2:postgresql94-server-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-contrib-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-docs-9.4.15-21.13.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:postgresql94-server-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-contrib-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-docs-9.4.15-21.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:postgresql94-server-9.4.15-21.13.1 SUSE Linux Enterprise Software Development Kit 12 SP2:postgresql94-devel-9.4.15-21.13.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P 5.5 AV:N/AC:L/Au:S/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180081-1/ https://www.suse.com/security/cve/CVE-2017-15098.html CVE-2017-15098 https://bugzilla.suse.com/1067844 SUSE Bug 1067844 https://bugzilla.suse.com/1185814 SUSE Bug 1185814