[security-announce] openSUSE-SU-2016:2425-1: important: Security update for postgresql93

[news 28]

openSUSE Security Update: Security update for postgresql93

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2016:2425-1

Rating: important

References: #993453 #993454

Cross-References: CVE-2016-5423 CVE-2016-5424

Affected Products:

openSUSE 13.2

______________________________________________________________________________

 

An update that fixes two vulnerabilities is now available.

 

Description:

 

 

The postgresql server postgresql93 was updated to 9.3.14 fixes the

following issues:

 

Update to version 9.3.14:

* Fix possible mis-evaluation of nested CASE-WHEN expressions

(CVE-2016-5423, boo#993454)

* Fix client programs' handling of special characters in database and role

names (CVE-2016-5424, boo#993453)

* Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested

composite values

* Make the inet and cidr data types properly reject IPv6 addresses with

too many colon-separated fields

* Prevent crash in close_ps() (the point ## lseg operator) for NaN input

coordinates

* Fix several one-byte buffer over-reads in to_number()

* Avoid unsafe intermediate state during expensive paths through

heap_update()

* For the other bug fixes, see the release notes:

https://www.postgresql.org/docs/9.3/static/release-9-3-14.html

 

Update to version 9.3.13:

 

This update fixes several problems which caused downtime for users,

including:

- Clearing the OpenSSL error queue before OpenSSL calls, preventing errors

in SSL connections, particularly when using the Python, Ruby or PHP

OpenSSL wrappers

- Fixed the "failed to build N-way joins" planner error

- Fixed incorrect handling of equivalence in multilevel nestloop query

plans, which could emit rows which didn't match the WHERE clause.

- Prevented two memory leaks with using GIN indexes, including a potential

index corruption risk. The release also includes many other bug fixes

for reported issues, many of which affect all supported versions:

- Fix corner-case parser failures occurring when

operator_precedence_warning is turned on

- Prevent possible misbehavior of TH, th, and Y,YYY format codes in

to_timestamp()

- Correct dumping of VIEWs and RULEs which use ANY (array) in a subselect

- Disallow newlines in ALTER SYSTEM parameter values

- Avoid possible misbehavior after failing to remove a tablespace symlink

- Fix crash in logical decoding on alignment-picky platforms

- Avoid repeated requests for feedback from receiver while shutting down

walsender

- Multiple fixes for pg_upgrade

- Support building with Visual Studio 2015

- This update also contains tzdata release 2016d, with updates for Russia,

Venezuela, Kirov, and Tomsk.

http://www.postgresql.org/docs/current/static/release-9-3-13.html

 

Update to version 9.3.12:

 

- Fix two bugs in indexed ROW() comparisons

- Avoid data loss due to renaming files

- Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE

- Fix bugs in multiple json_ and jsonb_ functions

- Log lock waits for INSERT ON CONFLICT correctly

- Ignore recovery_min_apply_delay until reaching a consistent state

- Fix issue with pg_subtrans XID wraparound

- Fix assorted bugs in Logical Decoding

- Fix planner error with nested security barrier views

- Prevent memory leak in GIN indexes

- Fix two issues with ispell dictionaries

- Avoid a crash on old Windows versions

- Skip creating an erroneous delete script in pg_upgrade

- Correctly translate empty arrays into PL/Perl

- Make PL/Python cope with identifier names

 

For the full release notes, see:

http://www.postgresql.org/docs/9.4/static/release-9-3-12.html

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 13.2:

 

zypper in -t patch openSUSE-2016-1140=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 13.2 (i586 x86_64):

 

libecpg6-9.3.14-2.13.1

libecpg6-debuginfo-9.3.14-2.13.1

libpq5-9.3.14-2.13.1

libpq5-debuginfo-9.3.14-2.13.1

postgresql93-9.3.14-2.13.1

postgresql93-contrib-9.3.14-2.13.1

postgresql93-contrib-debuginfo-9.3.14-2.13.1

postgresql93-debuginfo-9.3.14-2.13.1

postgresql93-debugsource-9.3.14-2.13.1

postgresql93-devel-9.3.14-2.13.1

postgresql93-devel-debuginfo-9.3.14-2.13.1

postgresql93-libs-debugsource-9.3.14-2.13.1

postgresql93-plperl-9.3.14-2.13.1

postgresql93-plperl-debuginfo-9.3.14-2.13.1

postgresql93-plpython-9.3.14-2.13.1

postgresql93-plpython-debuginfo-9.3.14-2.13.1

postgresql93-pltcl-9.3.14-2.13.1

postgresql93-pltcl-debuginfo-9.3.14-2.13.1

postgresql93-server-9.3.14-2.13.1

postgresql93-server-debuginfo-9.3.14-2.13.1

postgresql93-test-9.3.14-2.13.1

 

- openSUSE 13.2 (noarch):

 

postgresql93-docs-9.3.14-2.13.1

 

- openSUSE 13.2 (x86_64):

 

libecpg6-32bit-9.3.14-2.13.1

libecpg6-debuginfo-32bit-9.3.14-2.13.1

libpq5-32bit-9.3.14-2.13.1

libpq5-debuginfo-32bit-9.3.14-2.13.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2016-5423.html

https://www.suse.com/security/cve/CVE-2016-5424.html

https://bugzilla.suse.com/993453

https://bugzilla.suse.com/993454

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org