Security update for postgresql94 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2464-1 Final 1 1 2016-10-06T09:50:03Z current 2016-10-06T09:50:03Z 2016-10-06T09:50:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql94 This update for postgresql94 to version 9.4.9 fixes the several issues. These security issues were fixed: - CVE-2016-5423: CASE/WHEN with inlining can cause untrusted pointer dereference (bsc#993454). - CVE-2016-5424: Fix client programs' handling of special characters in database and role names (bsc#993453). This non-security issue was fixed: - bsc#973660: Added 'Requires: timezone' to Service Pack For additional non-security issues please refer to - http://www.postgresql.org/docs/9.4/static/release-9-4-9.html - http://www.postgresql.org/docs/9.4/static/release-9-4-8.html - http://www.postgresql.org/docs/9.4/static/release-9-4-7.html This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00009.html E-Mail link for openSUSE-SU-2016:2464-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libecpg6-9.4.9-7.1 libecpg6-32bit-9.4.9-7.1 libpq5-9.4.9-7.1 libpq5-32bit-9.4.9-7.1 postgresql94-9.4.9-7.1 postgresql94-contrib-9.4.9-7.1 postgresql94-devel-9.4.9-7.1 postgresql94-docs-9.4.9-7.1 postgresql94-libs-9.4.9-7.1 postgresql94-plperl-9.4.9-7.1 postgresql94-plpython-9.4.9-7.1 postgresql94-pltcl-9.4.9-7.1 postgresql94-server-9.4.9-7.1 postgresql94-test-9.4.9-7.1 libecpg6-9.4.9-7.1 as a component of openSUSE Leap 42.1 libecpg6-32bit-9.4.9-7.1 as a component of openSUSE Leap 42.1 libpq5-9.4.9-7.1 as a component of openSUSE Leap 42.1 libpq5-32bit-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-contrib-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-devel-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-docs-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-libs-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-plperl-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-plpython-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-pltcl-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-server-9.4.9-7.1 as a component of openSUSE Leap 42.1 postgresql94-test-9.4.9-7.1 as a component of openSUSE Leap 42.1 PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. CVE-2016-5423 openSUSE Leap 42.1:libecpg6-32bit-9.4.9-7.1 openSUSE Leap 42.1:libecpg6-9.4.9-7.1 openSUSE Leap 42.1:libpq5-32bit-9.4.9-7.1 openSUSE Leap 42.1:libpq5-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-contrib-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-devel-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-docs-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-libs-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-plperl-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-plpython-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-pltcl-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-server-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-test-9.4.9-7.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00009.html https://www.suse.com/security/cve/CVE-2016-5423.html CVE-2016-5423 https://bugzilla.suse.com/1041981 SUSE Bug 1041981 https://bugzilla.suse.com/1042497 SUSE Bug 1042497 https://bugzilla.suse.com/1052683 SUSE Bug 1052683 https://bugzilla.suse.com/993454 SUSE Bug 993454 PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. CVE-2016-5424 openSUSE Leap 42.1:libecpg6-32bit-9.4.9-7.1 openSUSE Leap 42.1:libecpg6-9.4.9-7.1 openSUSE Leap 42.1:libpq5-32bit-9.4.9-7.1 openSUSE Leap 42.1:libpq5-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-contrib-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-devel-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-docs-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-libs-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-plperl-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-plpython-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-pltcl-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-server-9.4.9-7.1 openSUSE Leap 42.1:postgresql94-test-9.4.9-7.1 moderate 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00009.html https://www.suse.com/security/cve/CVE-2016-5424.html CVE-2016-5424 https://bugzilla.suse.com/1041981 SUSE Bug 1041981 https://bugzilla.suse.com/1042497 SUSE Bug 1042497 https://bugzilla.suse.com/1052683 SUSE Bug 1052683 https://bugzilla.suse.com/993453 SUSE Bug 993453