Security update for postgresql93 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2425-1 Final 1 1 2016-09-30T13:09:17Z current 2016-09-30T13:09:17Z 2016-09-30T13:09:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql93 The postgresql server postgresql93 was updated to 9.3.14 fixes the following issues: Update to version 9.3.14: * Fix possible mis-evaluation of nested CASE-WHEN expressions (CVE-2016-5423, boo#993454) * Fix client programs' handling of special characters in database and role names (CVE-2016-5424, boo#993453) * Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values * Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields * Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates * Fix several one-byte buffer over-reads in to_number() * Avoid unsafe intermediate state during expensive paths through heap_update() * For the other bug fixes, see the release notes: https://www.postgresql.org/docs/9.3/static/release-9-3-14.html Update to version 9.3.13: This update fixes several problems which caused downtime for users, including: - Clearing the OpenSSL error queue before OpenSSL calls, preventing errors in SSL connections, particularly when using the Python, Ruby or PHP OpenSSL wrappers - Fixed the "failed to build N-way joins" planner error - Fixed incorrect handling of equivalence in multilevel nestloop query plans, which could emit rows which didn't match the WHERE clause. - Prevented two memory leaks with using GIN indexes, including a potential index corruption risk. The release also includes many other bug fixes for reported issues, many of which affect all supported versions: - Fix corner-case parser failures occurring when operator_precedence_warning is turned on - Prevent possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() - Correct dumping of VIEWs and RULEs which use ANY (array) in a subselect - Disallow newlines in ALTER SYSTEM parameter values - Avoid possible misbehavior after failing to remove a tablespace symlink - Fix crash in logical decoding on alignment-picky platforms - Avoid repeated requests for feedback from receiver while shutting down walsender - Multiple fixes for pg_upgrade - Support building with Visual Studio 2015 - This update also contains tzdata release 2016d, with updates for Russia, Venezuela, Kirov, and Tomsk. http://www.postgresql.org/docs/current/static/release-9-3-13.html Update to version 9.3.12: - Fix two bugs in indexed ROW() comparisons - Avoid data loss due to renaming files - Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE - Fix bugs in multiple json_ and jsonb_ functions - Log lock waits for INSERT ON CONFLICT correctly - Ignore recovery_min_apply_delay until reaching a consistent state - Fix issue with pg_subtrans XID wraparound - Fix assorted bugs in Logical Decoding - Fix planner error with nested security barrier views - Prevent memory leak in GIN indexes - Fix two issues with ispell dictionaries - Avoid a crash on old Windows versions - Skip creating an erroneous delete script in pg_upgrade - Correctly translate empty arrays into PL/Perl - Make PL/Python cope with identifier names For the full release notes, see: http://www.postgresql.org/docs/9.4/static/release-9-3-12.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00037.html E-Mail link for openSUSE-SU-2016:2425-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libecpg6-9.3.14-2.13.1 libecpg6-32bit-9.3.14-2.13.1 libecpg6-debuginfo-9.3.14-2.13.1 libecpg6-debuginfo-32bit-9.3.14-2.13.1 libpq5-9.3.14-2.13.1 libpq5-32bit-9.3.14-2.13.1 libpq5-debuginfo-9.3.14-2.13.1 libpq5-debuginfo-32bit-9.3.14-2.13.1 postgresql93-9.3.14-2.13.1 postgresql93-contrib-9.3.14-2.13.1 postgresql93-contrib-debuginfo-9.3.14-2.13.1 postgresql93-debuginfo-9.3.14-2.13.1 postgresql93-debugsource-9.3.14-2.13.1 postgresql93-devel-9.3.14-2.13.1 postgresql93-devel-debuginfo-9.3.14-2.13.1 postgresql93-docs-9.3.14-2.13.1 postgresql93-libs-9.3.14-2.13.1 postgresql93-libs-debugsource-9.3.14-2.13.1 postgresql93-plperl-9.3.14-2.13.1 postgresql93-plperl-debuginfo-9.3.14-2.13.1 postgresql93-plpython-9.3.14-2.13.1 postgresql93-plpython-debuginfo-9.3.14-2.13.1 postgresql93-pltcl-9.3.14-2.13.1 postgresql93-pltcl-debuginfo-9.3.14-2.13.1 postgresql93-server-9.3.14-2.13.1 postgresql93-server-debuginfo-9.3.14-2.13.1 postgresql93-test-9.3.14-2.13.1 libecpg6-9.3.14-2.13.1 as a component of openSUSE 13.2 libecpg6-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2 libecpg6-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 libecpg6-debuginfo-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2 libpq5-9.3.14-2.13.1 as a component of openSUSE 13.2 libpq5-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2 libpq5-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 libpq5-debuginfo-32bit-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-contrib-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-contrib-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-debugsource-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-devel-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-devel-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-docs-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-libs-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-libs-debugsource-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-plperl-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-plperl-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-plpython-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-plpython-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-pltcl-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-pltcl-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-server-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-server-debuginfo-9.3.14-2.13.1 as a component of openSUSE 13.2 postgresql93-test-9.3.14-2.13.1 as a component of openSUSE 13.2 PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. CVE-2016-5423 openSUSE 13.2:libecpg6-32bit-9.3.14-2.13.1 openSUSE 13.2:libecpg6-9.3.14-2.13.1 openSUSE 13.2:libecpg6-debuginfo-32bit-9.3.14-2.13.1 openSUSE 13.2:libecpg6-debuginfo-9.3.14-2.13.1 openSUSE 13.2:libpq5-32bit-9.3.14-2.13.1 openSUSE 13.2:libpq5-9.3.14-2.13.1 openSUSE 13.2:libpq5-debuginfo-32bit-9.3.14-2.13.1 openSUSE 13.2:libpq5-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-9.3.14-2.13.1 openSUSE 13.2:postgresql93-contrib-9.3.14-2.13.1 openSUSE 13.2:postgresql93-contrib-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-debugsource-9.3.14-2.13.1 openSUSE 13.2:postgresql93-devel-9.3.14-2.13.1 openSUSE 13.2:postgresql93-devel-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-docs-9.3.14-2.13.1 openSUSE 13.2:postgresql93-libs-9.3.14-2.13.1 openSUSE 13.2:postgresql93-libs-debugsource-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plperl-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plperl-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plpython-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plpython-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-pltcl-9.3.14-2.13.1 openSUSE 13.2:postgresql93-pltcl-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-server-9.3.14-2.13.1 openSUSE 13.2:postgresql93-server-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-test-9.3.14-2.13.1 important 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00037.html https://www.suse.com/security/cve/CVE-2016-5423.html CVE-2016-5423 https://bugzilla.suse.com/1041981 SUSE Bug 1041981 https://bugzilla.suse.com/1042497 SUSE Bug 1042497 https://bugzilla.suse.com/993454 SUSE Bug 993454 PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. CVE-2016-5424 openSUSE 13.2:libecpg6-32bit-9.3.14-2.13.1 openSUSE 13.2:libecpg6-9.3.14-2.13.1 openSUSE 13.2:libecpg6-debuginfo-32bit-9.3.14-2.13.1 openSUSE 13.2:libecpg6-debuginfo-9.3.14-2.13.1 openSUSE 13.2:libpq5-32bit-9.3.14-2.13.1 openSUSE 13.2:libpq5-9.3.14-2.13.1 openSUSE 13.2:libpq5-debuginfo-32bit-9.3.14-2.13.1 openSUSE 13.2:libpq5-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-9.3.14-2.13.1 openSUSE 13.2:postgresql93-contrib-9.3.14-2.13.1 openSUSE 13.2:postgresql93-contrib-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-debugsource-9.3.14-2.13.1 openSUSE 13.2:postgresql93-devel-9.3.14-2.13.1 openSUSE 13.2:postgresql93-devel-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-docs-9.3.14-2.13.1 openSUSE 13.2:postgresql93-libs-9.3.14-2.13.1 openSUSE 13.2:postgresql93-libs-debugsource-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plperl-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plperl-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plpython-9.3.14-2.13.1 openSUSE 13.2:postgresql93-plpython-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-pltcl-9.3.14-2.13.1 openSUSE 13.2:postgresql93-pltcl-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-server-9.3.14-2.13.1 openSUSE 13.2:postgresql93-server-debuginfo-9.3.14-2.13.1 openSUSE 13.2:postgresql93-test-9.3.14-2.13.1 important 6.5 AV:L/AC:M/Au:S/C:C/I:C/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00037.html https://www.suse.com/security/cve/CVE-2016-5424.html CVE-2016-5424 https://bugzilla.suse.com/1041981 SUSE Bug 1041981 https://bugzilla.suse.com/1042497 SUSE Bug 1042497 https://bugzilla.suse.com/993453 SUSE Bug 993453