Security update for postgresql94

Announcement ID: SUSE-SU-2016:0677-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2016-0766 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-0766 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-0773 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SLES for SAP Applications 11-SP4
  • SUSE Linux Enterprise Desktop 11 SP4
  • SUSE Linux Enterprise Server 11 SP4
  • SUSE Linux Enterprise Software Development Kit 11 SP4

An update that solves five vulnerabilities can now be installed.

Description:

This update for postgresql94 fixes the following issues:

  • Security and bugfix release 9.4.6:
  • IMPORTANT Users of version 9.4 will need to reindex any jsonb_path_ops indexes they have created, in order to fix a persistent issue with missing index entries.
  • Fix infinite loops and buffer-overrun problems in regular expressions (CVE-2016-0773, bsc#966436).
  • Fix regular-expression compiler to handle loops of constraint arcs (CVE-2007-4772).
  • Prevent certain PL/Java parameters from being set by non-superusers (CVE-2016-0766, bsc#966435).
  • Fix many issues in pg_dump with specific object types
  • Prevent over-eager pushdown of HAVING clauses for GROUPING SETS
  • Fix deparsing error with ON CONFLICT ... WHERE clauses
  • Fix tableoid errors for postgres_fdw
  • Prevent floating-point exceptions in pgbench
  • Make \det search Foreign Table names consistently
  • Fix quoting of domain constraint names in pg_dump
  • Prevent putting expanded objects into Const nodes
  • Allow compile of PL/Java on Windows
  • Fix "unresolved symbol" errors in PL/Python execution
  • Allow Python2 and Python3 to be used in the same database
  • Add support for Python 3.5 in PL/Python
  • Fix issue with subdirectory creation during initdb
  • Make pg_ctl report status correctly on Windows
  • Suppress confusing error when using pg_receivexlog with older servers
  • Multiple documentation corrections and additions
  • Fix erroneous hash calculations in gin_extract_jsonb_path()
  • For the full release notse, see: http://www.postgresql.org/docs/9.4/static/release-9-4-6.html

  • Security and bugfix release 9.4.5:

  • CVE-2015-5289, bsc#949670: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service.
  • CVE-2015-5288, bsc#949669: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed.
  • For the full release notse, see: http://www.postgresql.org/docs/current/static/release-9-4-5.html
  • Relax dependency on libpq to major version.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 11 SP4
    zypper in -t patch sledsp4-postgresql94-12440=1
  • SUSE Linux Enterprise Software Development Kit 11 SP4
    zypper in -t patch sdksp4-postgresql94-12440=1
  • SUSE Linux Enterprise Server 11 SP4
    zypper in -t patch slessp4-postgresql94-12440=1
  • SLES for SAP Applications 11-SP4
    zypper in -t patch slessp4-postgresql94-12440=1

Package List:

  • SUSE Linux Enterprise Desktop 11 SP4 (x86_64 i586)
    • libecpg6-9.4.6-0.14.3
    • libpq5-9.4.6-0.14.3
    • postgresql94-9.4.6-0.14.3
    • postgresql94-docs-9.4.6-0.14.3
  • SUSE Linux Enterprise Desktop 11 SP4 (x86_64)
    • libpq5-32bit-9.4.6-0.14.3
  • SUSE Linux Enterprise Software Development Kit 11 SP4 (s390x x86_64 i586 ppc64 ia64)
    • postgresql94-devel-9.4.6-0.14.3
  • SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
    • libecpg6-9.4.6-0.14.3
    • postgresql94-9.4.6-0.14.3
    • postgresql94-docs-9.4.6-0.14.3
    • postgresql94-server-9.4.6-0.14.3
    • libpq5-9.4.6-0.14.3
    • postgresql94-contrib-9.4.6-0.14.3
  • SUSE Linux Enterprise Server 11 SP4 (ppc64 s390x x86_64)
    • libpq5-32bit-9.4.6-0.14.3
  • SLES for SAP Applications 11-SP4 (ppc64 x86_64)
    • libecpg6-9.4.6-0.14.3
    • postgresql94-9.4.6-0.14.3
    • libpq5-32bit-9.4.6-0.14.3
    • postgresql94-docs-9.4.6-0.14.3
    • postgresql94-server-9.4.6-0.14.3
    • libpq5-9.4.6-0.14.3
    • postgresql94-contrib-9.4.6-0.14.3

References: