Security update for postgresql13 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0545-1 Final 1 1 2021-02-22T12:55:24Z current 2021-02-22T12:55:24Z 2021-02-22T12:55:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql13 This update for postgresql13 fixes the following issues: Upgrade to version 13.2: - Updating stored views and reindexing might be needed after applying this update. - CVE-2021-3393, bsc#1182040: Fix information leakage in constraint-violation error messages. - CVE-2021-20229, bsc#1182039: Fix failure to check per-column SELECT privileges in some join queries. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-545,SUSE-SLE-SDK-12-SP5-2021-545,SUSE-SLE-SERVER-12-SP5-2021-545 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210545-1/ Link for SUSE-SU-2021:0545-1 https://lists.suse.com/pipermail/sle-security-updates/2021-February/008358.html E-Mail link for SUSE-SU-2021:0545-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182039 SUSE Bug 1182039 https://bugzilla.suse.com/1182040 SUSE Bug 1182040 https://www.suse.com/security/cve/CVE-2021-20229/ SUSE CVE CVE-2021-20229 page https://www.suse.com/security/cve/CVE-2021-3393/ SUSE CVE CVE-2021-3393 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 libecpg6-13.2-3.6.1 libecpg6-32bit-13.2-3.6.1 libecpg6-64bit-13.2-3.6.1 libpq5-13.2-3.6.1 libpq5-32bit-13.2-3.6.1 libpq5-64bit-13.2-3.6.1 postgresql13-13.2-3.6.1 postgresql13-contrib-13.2-3.6.1 postgresql13-devel-13.2-3.6.1 postgresql13-devel-mini-13.2-3.6.1 postgresql13-docs-13.2-3.6.1 postgresql13-plperl-13.2-3.6.1 postgresql13-plpython-13.2-3.6.1 postgresql13-pltcl-13.2-3.6.1 postgresql13-server-13.2-3.6.1 postgresql13-server-devel-13.2-3.6.1 postgresql13-test-13.2-3.6.1 libecpg6-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 libpq5-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 libpq5-32bit-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql13-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql13-contrib-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql13-docs-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql13-plperl-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql13-plpython-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql13-pltcl-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql13-server-13.2-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 libecpg6-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libpq5-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libpq5-32bit-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-contrib-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-docs-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-plperl-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-plpython-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-pltcl-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-server-13.2-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql13-devel-13.2-3.6.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 postgresql13-server-devel-13.2-3.6.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality. CVE-2021-20229 SUSE Linux Enterprise Server 12 SP5:libecpg6-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:libpq5-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:libpq5-32bit-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-contrib-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-docs-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-plperl-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-plpython-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-pltcl-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-server-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libecpg6-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libpq5-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libpq5-32bit-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-contrib-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-docs-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-plperl-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-plpython-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-pltcl-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-server-13.2-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql13-devel-13.2-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql13-server-devel-13.2-3.6.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210545-1/ https://www.suse.com/security/cve/CVE-2021-20229.html CVE-2021-20229 https://bugzilla.suse.com/1182039 SUSE Bug 1182039 An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read. CVE-2021-3393 SUSE Linux Enterprise Server 12 SP5:libecpg6-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:libpq5-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:libpq5-32bit-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-contrib-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-docs-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-plperl-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-plpython-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-pltcl-13.2-3.6.1 SUSE Linux Enterprise Server 12 SP5:postgresql13-server-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libecpg6-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libpq5-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libpq5-32bit-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-contrib-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-docs-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-plperl-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-plpython-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-pltcl-13.2-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql13-server-13.2-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql13-devel-13.2-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql13-server-devel-13.2-3.6.1 low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210545-1/ https://www.suse.com/security/cve/CVE-2021-3393.html CVE-2021-3393 https://bugzilla.suse.com/1182040 SUSE Bug 1182040