openSUSE Security Update : postgresql95 (openSUSE-2018-204)

High Nessus Plugin ID 106965

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for postgresql95 fixes the following issues :

Upate to PostgreSQL 9.5.11 :

Security issues fixed :

- https://www.postgresql.org/docs/9.5/static/release-9-5-11.html

- CVE-2018-1053, boo#1077983: Ensure that all temporary files made by pg_upgrade are non-world-readable.

- boo#1079757: Rename pg_rewind's copy_file_range function to avoid conflict with new Linux system call of that name.

In version 9.5.10 :

- https://www.postgresql.org/docs/9.5/static/release-9-5-10.html

- CVE-2017-15098, boo#1067844: Memory disclosure in JSON functions.

- CVE-2017-15099, boo#1067841: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges.

In version 9.5.9 :

- https://www.postgresql.org/docs/9.5/static/release-9-5-9.html

- Show foreign tables in information_schema.table_privileges view.

- Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction.

- Remove assertion that could trigger during a fatal exit.

- Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for.

- Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore.

- Change ecpg's parser to allow RETURNING clauses without attached C variables.

In version 9.5.8

- https://www.postgresql.org/docs/9.5/static/release-9-5-8.html

- CVE-2017-7547, boo#1051685: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options.

- CVE-2017-7546, boo#1051684: Disallow empty passwords in all password-based authentication methods.

- CVE-2017-7548, boo#1053259: lo_put() function ignores ACLs.

Solution

Update the affected postgresql95 packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1051684

https://bugzilla.opensuse.org/show_bug.cgi?id=1051685

https://bugzilla.opensuse.org/show_bug.cgi?id=1053259

https://bugzilla.opensuse.org/show_bug.cgi?id=1067841

https://bugzilla.opensuse.org/show_bug.cgi?id=1067844

https://bugzilla.opensuse.org/show_bug.cgi?id=1077983

https://bugzilla.opensuse.org/show_bug.cgi?id=1079757

https://www.postgresql.org/docs/9.5/release-9-5-10.html

https://www.postgresql.org/docs/9.5/release-9-5-11.html

https://www.postgresql.org/docs/9.5/release-9-5-8.html

https://www.postgresql.org/docs/9.5/release-9-5-9.html

Plugin Details

Severity: High

ID: 106965

File Name: openSUSE-2018-204.nasl

Version: 3.2

Type: local

Agent: unix

Published: 2018/02/23

Modified: 2018/12/18

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:postgresql95, p-cpe:/a:novell:opensuse:postgresql95-contrib, p-cpe:/a:novell:opensuse:postgresql95-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql95-debuginfo, p-cpe:/a:novell:opensuse:postgresql95-debugsource, p-cpe:/a:novell:opensuse:postgresql95-devel, p-cpe:/a:novell:opensuse:postgresql95-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql95-libs-debugsource, p-cpe:/a:novell:opensuse:postgresql95-plperl, p-cpe:/a:novell:opensuse:postgresql95-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql95-plpython, p-cpe:/a:novell:opensuse:postgresql95-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql95-pltcl, p-cpe:/a:novell:opensuse:postgresql95-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql95-server, p-cpe:/a:novell:opensuse:postgresql95-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql95-test, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2018/02/22

Reference Information

CVE: CVE-2017-15098, CVE-2017-15099, CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, CVE-2018-1053