SUSE-SU-2024:4052-1: important: Security update for postgresql, postgresql16, postgresql17

SLE-SECURITY-UPDATES null at suse.de
Mon Nov 25 20:30:11 UTC 2024



# Security update for postgresql, postgresql16, postgresql17

Announcement ID: SUSE-SU-2024:4052-1  
Release Date: 2024-11-25T16:10:44Z  
Rating: important  
References:

  * bsc#1219340
  * bsc#1230423
  * bsc#1233323
  * bsc#1233325
  * bsc#1233326
  * bsc#1233327
  * jsc#PED-11514

  
Cross-References:

  * CVE-2024-10976
  * CVE-2024-10977
  * CVE-2024-10978
  * CVE-2024-10979

  
CVSS scores:

  * CVE-2024-10976 ( SUSE ):  4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-10976 ( NVD ):  4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-10977 ( SUSE ):  3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
  * CVE-2024-10977 ( NVD ):  3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
  * CVE-2024-10978 ( SUSE ):  4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-10978 ( NVD ):  4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-10979 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2024-10979 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 12 SP5
  * SUSE Linux Enterprise Server 12 SP5
  * SUSE Linux Enterprise Server 12 SP5 LTSS 12-SP5
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security 12-SP5
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5

  
  
An update that solves four vulnerabilities, contains one feature and has two
security fixes can now be installed.

## Description:

This update for postgresql, postgresql16, postgresql17 fixes the following
issues:

This update ships postgresql17 , and fixes security issues with postgresql16:

  * bsc#1230423: Relax the dependency of extensions on the server version from
    exact major.minor to greater or equal, after Tom Lane confirmed on the
    PostgreSQL packagers list that ABI stability is being taken care of between
    minor releases.

  * bsc#1219340: The last fix was not correct. Improve it by removing the
    dependency again and call fillup only if it is installed.

postgresql16 was updated to 16.6: * Repair ABI break for extensions that work
with struct ResultRelInfo. * Restore functionality of ALTER {ROLE|DATABASE} SET
role. * Fix cases where a logical replication slot's restart_lsn could go
backwards. * Avoid deleting still-needed WAL files during pg_rewind. * Fix race
conditions associated with dropping shared statistics entries. * Count index
scans in contrib/bloom indexes in the statistics views, such as the
pg_stat_user_indexes.idx_scan counter. * Fix crash when checking to see if an
index's opclass options have changed. * Avoid assertion failure caused by
disconnected NFA sub-graphs in regular expression parsing. *
https://www.postgresql.org/docs/release/16.6/

postgresql16 was updated to 16.5:

  * CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as dependent on
    the calling role when RLS applies to a non-top-level table reference.
  * CVE-2024-10977, bsc#1233325: Make libpq discard error messages received
    during SSL or GSS protocol negotiation.
  * CVE-2024-10978, bsc#1233326: Fix unintended interactions between SET SESSION
    AUTHORIZATION and SET ROLE
  * CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from changing
    environment variables.
  * https://www.postgresql.org/about/news/p-2955/
  * https://www.postgresql.org/docs/release/16.5/

  * Don't build the libs and mini flavor anymore to hand over to PostgreSQL 17.

  * https://www.postgresql.org/about/news/p-2910/

postgresql17 is shipped in version 17.2:

  * CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as dependent on
    the calling role when RLS applies to a non-top-level table reference.
  * CVE-2024-10977, bsc#1233325: Make libpq discard error messages received
    during SSL or GSS protocol negotiation.
  * CVE-2024-10978, bsc#1233326: Fix unintended interactions between SET SESSION
    AUTHORIZATION and SET ROLE
  * CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from changing
    environment variables.
  * https://www.postgresql.org/about/news/p-2955/
  * https://www.postgresql.org/docs/release/17.1/
  * https://www.postgresql.org/docs/release/17.2/

Upgrade to 17.2:

  * Repair ABI break for extensions that work with struct ResultRelInfo.
  * Restore functionality of ALTER {ROLE|DATABASE} SET role.
  * Fix cases where a logical replication slot's restart_lsn could go backwards.
  * Avoid deleting still-needed WAL files during pg_rewind.
  * Fix race conditions associated with dropping shared statistics entries.
  * Count index scans in contrib/bloom indexes in the statistics views, such as
    the pg_stat_user_indexes.idx_scan counter.
  * Fix crash when checking to see if an index's opclass options have changed.
  * Avoid assertion failure caused by disconnected NFA sub-graphs in regular
    expression parsing.

Upgrade to 17.0:

  * New memory management system for VACUUM, which reduces memory consumption
    and can improve overall vacuuming performance.
  * New SQL/JSON capabilities, including constructors, identity functions, and
    the JSON_TABLE() function, which converts JSON data into a table
    representation.
  * Various query performance improvements, including for sequential reads using
    streaming I/O, write throughput under high concurrency, and searches over
    multiple values in a btree index.
  * Logical replication enhancements, including:
  * Failover control
  * pg_createsubscriber, a utility that creates logical replicas from physical
    standbys
  * pg_upgrade now preserves replication slots on both publishers and
    subscribers
  * New client-side connection option, sslnegotiation=direct, that performs a
    direct TLS handshake to avoid a round-trip negotiation.
  * pg_basebackup now supports incremental backup.
  * COPY adds a new option, ON_ERROR ignore, that allows a copy operation to
    continue in the event of an error.
  * https://www.postgresql.org/about/news/p-2936/
  * https://www.postgresql.org/docs/17/release-17.html

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Server 12 SP5 LTSS 12-SP5  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2024-4052=1

  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security 12-SP5  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2024-4052=1

## Package List:

  * SUSE Linux Enterprise Server 12 SP5 LTSS 12-SP5 (aarch64 ppc64le s390x
    x86_64)
    * postgresql16-contrib-16.6-3.21.1
    * libecpg6-debuginfo-17.2-3.5.1
    * postgresql16-16.6-3.21.1
    * postgresql16-debuginfo-16.6-3.21.1
    * libpq5-17.2-3.5.1
    * libpq5-debuginfo-17.2-3.5.1
    * postgresql16-plpython-16.6-3.21.1
    * postgresql16-plperl-debuginfo-16.6-3.21.1
    * postgresql16-debugsource-16.6-3.21.1
    * postgresql16-plperl-16.6-3.21.1
    * postgresql16-pltcl-16.6-3.21.1
    * postgresql16-pltcl-debuginfo-16.6-3.21.1
    * postgresql16-contrib-debuginfo-16.6-3.21.1
    * postgresql16-server-16.6-3.21.1
    * postgresql16-plpython-debuginfo-16.6-3.21.1
    * postgresql16-server-debuginfo-16.6-3.21.1
    * libecpg6-17.2-3.5.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS 12-SP5 (noarch)
    * postgresql-pltcl-17-4.29.1
    * postgresql16-docs-16.6-3.21.1
    * postgresql-docs-17-4.29.1
    * postgresql-plpython-17-4.29.1
    * postgresql-17-4.29.1
    * postgresql-plperl-17-4.29.1
    * postgresql-contrib-17-4.29.1
    * postgresql-server-17-4.29.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS 12-SP5 (s390x x86_64)
    * libpq5-32bit-17.2-3.5.1
    * libecpg6-debuginfo-32bit-17.2-3.5.1
    * libecpg6-32bit-17.2-3.5.1
    * libpq5-debuginfo-32bit-17.2-3.5.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security 12-SP5 (x86_64)
    * libecpg6-debuginfo-17.2-3.5.1
    * postgresql16-16.6-3.21.1
    * postgresql16-debuginfo-16.6-3.21.1
    * postgresql16-pltcl-debuginfo-16.6-3.21.1
    * postgresql16-plperl-16.6-3.21.1
    * libecpg6-debuginfo-32bit-17.2-3.5.1
    * libecpg6-32bit-17.2-3.5.1
    * libpq5-debuginfo-32bit-17.2-3.5.1
    * postgresql16-plpython-debuginfo-16.6-3.21.1
    * libpq5-32bit-17.2-3.5.1
    * libpq5-debuginfo-17.2-3.5.1
    * postgresql16-pltcl-16.6-3.21.1
    * postgresql16-contrib-debuginfo-16.6-3.21.1
    * postgresql16-server-debuginfo-16.6-3.21.1
    * postgresql16-contrib-16.6-3.21.1
    * libpq5-17.2-3.5.1
    * postgresql16-plpython-16.6-3.21.1
    * postgresql16-plperl-debuginfo-16.6-3.21.1
    * libecpg6-17.2-3.5.1
    * postgresql16-debugsource-16.6-3.21.1
    * postgresql16-server-16.6-3.21.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security 12-SP5 (noarch)
    * postgresql-pltcl-17-4.29.1
    * postgresql16-docs-16.6-3.21.1
    * postgresql-docs-17-4.29.1
    * postgresql-plpython-17-4.29.1
    * postgresql-17-4.29.1
    * postgresql-plperl-17-4.29.1
    * postgresql-contrib-17-4.29.1
    * postgresql-server-17-4.29.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-10976.html
  * https://www.suse.com/security/cve/CVE-2024-10977.html
  * https://www.suse.com/security/cve/CVE-2024-10978.html
  * https://www.suse.com/security/cve/CVE-2024-10979.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1219340
  * https://bugzilla.suse.com/show_bug.cgi?id=1230423
  * https://bugzilla.suse.com/show_bug.cgi?id=1233323
  * https://bugzilla.suse.com/show_bug.cgi?id=1233325
  * https://bugzilla.suse.com/show_bug.cgi?id=1233326
  * https://bugzilla.suse.com/show_bug.cgi?id=1233327
  * https://jira.suse.com/browse/PED-11514

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20241125/b955c120/attachment.htm>


More information about the sle-security-updates mailing list