openSUSE Security Update : postgresql93 (openSUSE-2016-1140)

high Nessus Plugin ID 93825

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

The postgresql server postgresql93 was updated to 9.3.14 fixes the following issues :

Update to version 9.3.14 :

- Fix possible mis-evaluation of nested CASE-WHEN expressions (CVE-2016-5423, boo#993454)

- Fix client programs' handling of special characters in database and role names (CVE-2016-5424, boo#993453)

- Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values

- Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields

- Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates

- Fix several one-byte buffer over-reads in to_number()

- Avoid unsafe intermediate state during expensive paths through heap_update()

- For the other bug fixes, see the release notes:
https://www.postgresql.org/docs/9.3/static/release-9-3-1 4.html

Update to version 9.3.13 :

This update fixes several problems which caused downtime for users, including :

- Clearing the OpenSSL error queue before OpenSSL calls, preventing errors in SSL connections, particularly when using the Python, Ruby or PHP OpenSSL wrappers

- Fixed the 'failed to build N-way joins' planner error

- Fixed incorrect handling of equivalence in multilevel nestloop query plans, which could emit rows which didn't match the WHERE clause.

- Prevented two memory leaks with using GIN indexes, including a potential index corruption risk. The release also includes many other bug fixes for reported issues, many of which affect all supported versions :

- Fix corner-case parser failures occurring when operator_precedence_warning is turned on

- Prevent possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp()

- Correct dumping of VIEWs and RULEs which use ANY (array) in a subselect

- Disallow newlines in ALTER SYSTEM parameter values

- Avoid possible misbehavior after failing to remove a tablespace symlink

- Fix crash in logical decoding on alignment-picky platforms

- Avoid repeated requests for feedback from receiver while shutting down walsender

- Multiple fixes for pg_upgrade

- Support building with Visual Studio 2015

- This update also contains tzdata release 2016d, with updates for Russia, Venezuela, Kirov, and Tomsk.
http://www.postgresql.org/docs/current/static/release-9- 3-13.html

Update to version 9.3.12 :

- Fix two bugs in indexed ROW() comparisons

- Avoid data loss due to renaming files

- Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE

- Fix bugs in multiple json_ and jsonb_ functions

- Log lock waits for INSERT ON CONFLICT correctly

- Ignore recovery_min_apply_delay until reaching a consistent state

- Fix issue with pg_subtrans XID wraparound

- Fix assorted bugs in Logical Decoding

- Fix planner error with nested security barrier views

- Prevent memory leak in GIN indexes

- Fix two issues with ispell dictionaries

- Avoid a crash on old Windows versions

- Skip creating an erroneous delete script in pg_upgrade

- Correctly translate empty arrays into PL/Perl

- Make PL/Python cope with identifier names

For the full release notes, see:
http://www.postgresql.org/docs/9.4/static/release-9-3-12.html

Solution

Update the affected postgresql93 packages.

See Also

https://www.postgresql.org/docs/9.4/release-9-3-12.html

https://www.postgresql.org/docs/current/release-9-3-13.html

https://bugzilla.opensuse.org/show_bug.cgi?id=993453

https://bugzilla.opensuse.org/show_bug.cgi?id=993454

https://www.postgresql.org/docs/9.3/release-9-3-14.html

Plugin Details

Severity: High

ID: 93825

File Name: openSUSE-2016-1140.nasl

Version: 2.8

Type: local

Agent: unix

Published: 10/3/2016

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libpq5-debuginfo-32bit, p-cpe:/a:novell:opensuse:postgresql93, p-cpe:/a:novell:opensuse:postgresql93-contrib, p-cpe:/a:novell:opensuse:postgresql93-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql93-debuginfo, p-cpe:/a:novell:opensuse:postgresql93-debugsource, p-cpe:/a:novell:opensuse:postgresql93-devel, p-cpe:/a:novell:opensuse:postgresql93-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql93-libs-debugsource, p-cpe:/a:novell:opensuse:postgresql93-plperl, p-cpe:/a:novell:opensuse:postgresql93-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql93-plpython, p-cpe:/a:novell:opensuse:postgresql93-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql93-pltcl, p-cpe:/a:novell:opensuse:postgresql93-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql93-server, p-cpe:/a:novell:opensuse:postgresql93-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql93-test, cpe:/o:novell:opensuse:13.2, p-cpe:/a:novell:opensuse:libecpg6, p-cpe:/a:novell:opensuse:libecpg6-32bit, p-cpe:/a:novell:opensuse:libecpg6-debuginfo, p-cpe:/a:novell:opensuse:libecpg6-debuginfo-32bit, p-cpe:/a:novell:opensuse:libpq5, p-cpe:/a:novell:opensuse:libpq5-32bit, p-cpe:/a:novell:opensuse:libpq5-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 9/30/2016

Reference Information

CVE: CVE-2016-5423, CVE-2016-5424