SUSE-SU-2017:1690-1: moderate: Security update for postgresql94

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Jun 26 10:11:56 MDT 2017 

   SUSE Security Update: Security update for postgresql94
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1690-1
Rating:             moderate
References:         #1037603 #1037624 #1038293 
Cross-References:   CVE-2017-7484 CVE-2017-7485 CVE-2017-7486
                   
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP2
                    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
                    SUSE Linux Enterprise Server 12-SP2
                    SUSE Linux Enterprise Desktop 12-SP2
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for postgresql94 to 9.4.12 fixes the following issues:

   Upstream changelogs:

   - https://www.postgresql.org/docs/9.4/static/release-9-4-12.html
   - https://www.postgresql.org/docs/9.4/static/release-9-4-11.html
   - https://www.postgresql.org/docs/9.4/static/release-9-4-10.html

   Security issues fixed:

   * CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to
     protect passwords stored as user mapping options. (bsc#1037624)

     Please note that manual action is needed to fix this in existing
   databases See the upstream release notes for details.
   * CVE-2017-7485: recognize PGREQUIRESSL variable again. (bsc#1038293)
   * CVE-2017-7484: Prevent exposure of statistical information via leaky
     operators. (bsc#1037603)

   Changes in version 9.4.12:

   * Build corruption with CREATE INDEX CONCURRENTLY
   * Fixes for visibility and write-ahead-log stability

   Changes in version 9.4.10:

   * Fix WAL-logging of truncation of relation free space maps and visibility
     maps
   * Fix incorrect creation of GIN index WAL records on big-endian machines
   * Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been
     updated by a subsequently-aborted transaction
   * Fix EvalPlanQual rechecks involving CTE scans
   * Fix improper repetition of previous results from hashed aggregation in a
     subquery

   The libraries libpq and libecpg are now supplied by postgresql 9.6.


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP2:

      zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1039=1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:

      zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1039=1

   - SUSE Linux Enterprise Server 12-SP2:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1039=1

   - SUSE Linux Enterprise Desktop 12-SP2:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1039=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):

      postgresql94-devel-9.4.12-20.1
      postgresql94-devel-debuginfo-9.4.12-20.1
      postgresql94-libs-debugsource-9.4.12-20.1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):

      postgresql94-9.4.12-20.1
      postgresql94-contrib-9.4.12-20.1
      postgresql94-contrib-debuginfo-9.4.12-20.1
      postgresql94-debuginfo-9.4.12-20.1
      postgresql94-debugsource-9.4.12-20.1
      postgresql94-server-9.4.12-20.1
      postgresql94-server-debuginfo-9.4.12-20.1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch):

      postgresql94-docs-9.4.12-20.1

   - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64):

      postgresql94-9.4.12-20.1
      postgresql94-contrib-9.4.12-20.1
      postgresql94-contrib-debuginfo-9.4.12-20.1
      postgresql94-debuginfo-9.4.12-20.1
      postgresql94-debugsource-9.4.12-20.1
      postgresql94-server-9.4.12-20.1
      postgresql94-server-debuginfo-9.4.12-20.1

   - SUSE Linux Enterprise Server 12-SP2 (noarch):

      postgresql94-docs-9.4.12-20.1

   - SUSE Linux Enterprise Desktop 12-SP2 (x86_64):

      postgresql94-9.4.12-20.1
      postgresql94-debuginfo-9.4.12-20.1
      postgresql94-debugsource-9.4.12-20.1


References:

   https://www.suse.com/security/cve/CVE-2017-7484.html
   https://www.suse.com/security/cve/CVE-2017-7485.html
   https://www.suse.com/security/cve/CVE-2017-7486.html
   https://bugzilla.suse.com/1037603
   https://bugzilla.suse.com/1037624
   https://bugzilla.suse.com/1038293

More information about the sle-security-updates mailing list