openSUSE Security Update : postgresql / postgresql96 / postgresql10 / etc (openSUSE-2020-1228)

Medium Nessus Plugin ID 139765

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for postgresql, postgresql96, postgresql10, postgresql12 fixes the following issues :

Postgresql12 was updated to 12.3 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/12/release-12-3.html

- Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema.

Also changed in the postgresql wrapper package :

- Bump version to 12.0.1, so that the binary packages also have a cut-point to conflict with.

- Conflict with versions of the binary packages prior to the May 2020 update, because we changed the package layout at that point and need a clean cutover.

- Bump package version to 12, but leave default at 10 for SLE-15 and SLE-15-SP1.

postgresql11 was updated to 11.9 :

- CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers

- CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.

- https://www.postgresql.org/docs/11/release-11-9.html

- Pack the /usr/lib/postgresql symlink only into the main package.

postgresql11 was updated to 11.8 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/11/release-11-8.html

- Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.

- Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (bsc#1148643).

postgresql10 was updated to 10.13 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/10/release-10-13.html

- Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.

- Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (bsc#1148643).

postgresql96 was updated to 9.6.19 :

- CVE-2020-14350, boo#1175194: Make contrib modules' installation scripts more secure.

- https://www.postgresql.org/docs/9.6/release-9-6-19.html

- Pack the /usr/lib/postgresql symlink only into the main package.

- Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema.

- update to 9.6.18 (boo#1171924).
https://www.postgresql.org/about/news/2038/ https://www.postgresql.org/docs/9.6/release-9-6-18.html

- Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.

- Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (boo#1148643).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Solution

Update the affected postgresql / postgresql96 / postgresql10 / etc packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1148643

https://bugzilla.opensuse.org/show_bug.cgi?id=1171924

https://bugzilla.opensuse.org/show_bug.cgi?id=1175193

https://bugzilla.opensuse.org/show_bug.cgi?id=1175194

https://www.postgresql.org/about/news/2038/

https://www.postgresql.org/docs/10/release-10-13.html

https://www.postgresql.org/docs/11/release-11-8.html

https://www.postgresql.org/docs/11/release-11-9.html

https://www.postgresql.org/docs/12/release-12-3.html

https://www.postgresql.org/docs/9.6/release-9-6-18.html

https://www.postgresql.org/docs/9.6/release-9-6-19.html

Plugin Details

Severity: Medium

ID: 139765

File Name: openSUSE-2020-1228.nasl

Version: 1.7

Type: local

Agent: unix

Published: 2020/08/24

Updated: 2020/12/04

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 5.9

CVSS Score Source: CVE-2020-14349

CVSS v2.0

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libecpg6, p-cpe:/a:novell:opensuse:libecpg6-32bit, p-cpe:/a:novell:opensuse:libecpg6-32bit-debuginfo, p-cpe:/a:novell:opensuse:libecpg6-debuginfo, p-cpe:/a:novell:opensuse:libpq5, p-cpe:/a:novell:opensuse:libpq5-32bit, p-cpe:/a:novell:opensuse:libpq5-32bit-debuginfo, p-cpe:/a:novell:opensuse:libpq5-debuginfo, p-cpe:/a:novell:opensuse:postgresql, p-cpe:/a:novell:opensuse:postgresql-contrib, p-cpe:/a:novell:opensuse:postgresql-devel, p-cpe:/a:novell:opensuse:postgresql-llvmjit, p-cpe:/a:novell:opensuse:postgresql-plperl, p-cpe:/a:novell:opensuse:postgresql-plpython, p-cpe:/a:novell:opensuse:postgresql-pltcl, p-cpe:/a:novell:opensuse:postgresql-server, p-cpe:/a:novell:opensuse:postgresql-server-devel, p-cpe:/a:novell:opensuse:postgresql-test, p-cpe:/a:novell:opensuse:postgresql10, p-cpe:/a:novell:opensuse:postgresql10-contrib, p-cpe:/a:novell:opensuse:postgresql10-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-debugsource, p-cpe:/a:novell:opensuse:postgresql10-devel, p-cpe:/a:novell:opensuse:postgresql10-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-plperl, p-cpe:/a:novell:opensuse:postgresql10-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-plpython, p-cpe:/a:novell:opensuse:postgresql10-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-pltcl, p-cpe:/a:novell:opensuse:postgresql10-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-server, p-cpe:/a:novell:opensuse:postgresql10-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-test, p-cpe:/a:novell:opensuse:postgresql11, p-cpe:/a:novell:opensuse:postgresql11-contrib, p-cpe:/a:novell:opensuse:postgresql11-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-debugsource, p-cpe:/a:novell:opensuse:postgresql11-devel, p-cpe:/a:novell:opensuse:postgresql11-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-llvmjit, p-cpe:/a:novell:opensuse:postgresql11-llvmjit-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-plperl, p-cpe:/a:novell:opensuse:postgresql11-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-plpython, p-cpe:/a:novell:opensuse:postgresql11-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-pltcl, p-cpe:/a:novell:opensuse:postgresql11-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-server, p-cpe:/a:novell:opensuse:postgresql11-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-server-devel, p-cpe:/a:novell:opensuse:postgresql11-server-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-test, p-cpe:/a:novell:opensuse:postgresql12, p-cpe:/a:novell:opensuse:postgresql12-contrib, p-cpe:/a:novell:opensuse:postgresql12-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-debugsource, p-cpe:/a:novell:opensuse:postgresql12-devel, p-cpe:/a:novell:opensuse:postgresql12-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-llvmjit, p-cpe:/a:novell:opensuse:postgresql12-llvmjit-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-plperl, p-cpe:/a:novell:opensuse:postgresql12-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-plpython, p-cpe:/a:novell:opensuse:postgresql12-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-pltcl, p-cpe:/a:novell:opensuse:postgresql12-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-server, p-cpe:/a:novell:opensuse:postgresql12-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-server-devel, p-cpe:/a:novell:opensuse:postgresql12-server-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-test, p-cpe:/a:novell:opensuse:postgresql96, p-cpe:/a:novell:opensuse:postgresql96-contrib, p-cpe:/a:novell:opensuse:postgresql96-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-debugsource, p-cpe:/a:novell:opensuse:postgresql96-devel, p-cpe:/a:novell:opensuse:postgresql96-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-plperl, p-cpe:/a:novell:opensuse:postgresql96-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-plpython, p-cpe:/a:novell:opensuse:postgresql96-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-pltcl, p-cpe:/a:novell:opensuse:postgresql96-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-server, p-cpe:/a:novell:opensuse:postgresql96-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-test, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 2020/08/17

Vulnerability Publication Date: 2020/08/24

Reference Information

CVE: CVE-2020-14349, CVE-2020-14350

IAVB: 2020-B-0047-S