openSUSE Security Update : postgresql93 (openSUSE-2016-1140)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The postgresql server postgresql93 was updated to 9.3.14 fixes the
following issues :

Update to version 9.3.14 :

- Fix possible mis-evaluation of nested CASE-WHEN
expressions (CVE-2016-5423, boo#993454)

- Fix client programs' handling of special characters in
database and role names (CVE-2016-5424, boo#993453)

- Fix corner-case misbehaviors for IS NULL/IS NOT NULL
applied to nested composite values

- Make the inet and cidr data types properly reject IPv6
addresses with too many colon-separated fields

- Prevent crash in close_ps() (the point ## lseg operator)
for NaN input coordinates

- Fix several one-byte buffer over-reads in to_number()

- Avoid unsafe intermediate state during expensive paths
through heap_update()

- For the other bug fixes, see the release notes:
https://www.postgresql.org/docs/9.3/static/release-9-3-1
4.html

Update to version 9.3.13 :

This update fixes several problems which caused downtime for users,
including :

- Clearing the OpenSSL error queue before OpenSSL calls,
preventing errors in SSL connections, particularly when
using the Python, Ruby or PHP OpenSSL wrappers

- Fixed the 'failed to build N-way joins' planner error

- Fixed incorrect handling of equivalence in multilevel
nestloop query plans, which could emit rows which didn't
match the WHERE clause.

- Prevented two memory leaks with using GIN indexes,
including a potential index corruption risk. The release
also includes many other bug fixes for reported issues,
many of which affect all supported versions :

- Fix corner-case parser failures occurring when
operator_precedence_warning is turned on

- Prevent possible misbehavior of TH, th, and Y,YYY format
codes in to_timestamp()

- Correct dumping of VIEWs and RULEs which use ANY (array)
in a subselect

- Disallow newlines in ALTER SYSTEM parameter values

- Avoid possible misbehavior after failing to remove a
tablespace symlink

- Fix crash in logical decoding on alignment-picky
platforms

- Avoid repeated requests for feedback from receiver while
shutting down walsender

- Multiple fixes for pg_upgrade

- Support building with Visual Studio 2015

- This update also contains tzdata release 2016d, with
updates for Russia, Venezuela, Kirov, and Tomsk.
http://www.postgresql.org/docs/current/static/release-9-
3-13.html

Update to version 9.3.12 :

- Fix two bugs in indexed ROW() comparisons

- Avoid data loss due to renaming files

- Prevent an error in rechecking rows in SELECT FOR
UPDATE/SHARE

- Fix bugs in multiple json_ and jsonb_ functions

- Log lock waits for INSERT ON CONFLICT correctly

- Ignore recovery_min_apply_delay until reaching a
consistent state

- Fix issue with pg_subtrans XID wraparound

- Fix assorted bugs in Logical Decoding

- Fix planner error with nested security barrier views

- Prevent memory leak in GIN indexes

- Fix two issues with ispell dictionaries

- Avoid a crash on old Windows versions

- Skip creating an erroneous delete script in pg_upgrade

- Correctly translate empty arrays into PL/Perl

- Make PL/Python cope with identifier names

For the full release notes, see:
http://www.postgresql.org/docs/9.4/static/release-9-3-12.html

See also :

http://www.postgresql.org/docs/9.4/static/release-9-3-12.html
http://www.postgresql.org/docs/current/static/release-9-3-13.html
https://bugzilla.opensuse.org/show_bug.cgi?id=993453
https://bugzilla.opensuse.org/show_bug.cgi?id=993454
https://www.postgresql.org/docs/9.3/static/release-9-3-14.html

Solution :

Update the affected postgresql93 packages.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 93825 ()

Bugtraq ID:

CVE ID: CVE-2016-5423
CVE-2016-5424

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now