Security update for postgresql94 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2392-1 Final 1 1 2017-09-08T12:09:21Z current 2017-09-08T12:09:21Z 2017-09-08T12:09:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql94 This update for postgresql94 fixes the following issues: * CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) * CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) * CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00020.html E-Mail link for openSUSE-SU-2017:2392-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 postgresql94-9.4.13-12.1 postgresql94-contrib-9.4.13-12.1 postgresql94-devel-9.4.13-12.1 postgresql94-docs-9.4.13-12.1 postgresql94-libs-9.4.13-12.1 postgresql94-plperl-9.4.13-12.1 postgresql94-plpython-9.4.13-12.1 postgresql94-pltcl-9.4.13-12.1 postgresql94-server-9.4.13-12.1 postgresql94-test-9.4.13-12.1 postgresql94-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-contrib-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-devel-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-docs-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-libs-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-plperl-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-plpython-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-pltcl-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-server-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-test-9.4.13-12.1 as a component of openSUSE Leap 42.2 postgresql94-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-contrib-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-devel-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-docs-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-libs-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-plperl-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-plpython-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-pltcl-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-server-9.4.13-12.1 as a component of openSUSE Leap 42.3 postgresql94-test-9.4.13-12.1 as a component of openSUSE Leap 42.3 PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password. CVE-2017-7546 openSUSE Leap 42.2:postgresql94-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-contrib-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-devel-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-docs-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-libs-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-plperl-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-plpython-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-pltcl-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-server-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-test-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-contrib-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-devel-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-docs-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-libs-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-plperl-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-plpython-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-pltcl-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-server-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-test-9.4.13-12.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00020.html https://www.suse.com/security/cve/CVE-2017-7546.html CVE-2017-7546 https://bugzilla.suse.com/1051684 SUSE Bug 1051684 https://bugzilla.suse.com/1054365 SUSE Bug 1054365 https://bugzilla.suse.com/1140876 SUSE Bug 1140876 PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. CVE-2017-7547 openSUSE Leap 42.2:postgresql94-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-contrib-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-devel-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-docs-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-libs-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-plperl-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-plpython-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-pltcl-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-server-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-test-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-contrib-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-devel-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-docs-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-libs-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-plperl-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-plpython-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-pltcl-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-server-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-test-9.4.13-12.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00020.html https://www.suse.com/security/cve/CVE-2017-7547.html CVE-2017-7547 https://bugzilla.suse.com/1051685 SUSE Bug 1051685 https://bugzilla.suse.com/1054365 SUSE Bug 1054365 https://bugzilla.suse.com/1140876 SUSE Bug 1140876 PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service. CVE-2017-7548 openSUSE Leap 42.2:postgresql94-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-contrib-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-devel-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-docs-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-libs-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-plperl-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-plpython-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-pltcl-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-server-9.4.13-12.1 openSUSE Leap 42.2:postgresql94-test-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-contrib-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-devel-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-docs-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-libs-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-plperl-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-plpython-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-pltcl-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-server-9.4.13-12.1 openSUSE Leap 42.3:postgresql94-test-9.4.13-12.1 important 8.5 AV:N/AC:L/Au:S/C:C/I:C/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00020.html https://www.suse.com/security/cve/CVE-2017-7548.html CVE-2017-7548 https://bugzilla.suse.com/1053259 SUSE Bug 1053259 https://bugzilla.suse.com/1054365 SUSE Bug 1054365 https://bugzilla.suse.com/1140876 SUSE Bug 1140876