Security update for postgresql93

Announcement ID:	SUSE-SU-2015:1821-1
Rating:	moderate
References:	bsc#949669 bsc#949670
Cross-References:	CVE-2015-5288 CVE-2015-5289
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12

An update that solves two vulnerabilities can now be installed.

Description:

The PostreSQL database postgresql93 was updated to the bugfix release 9.3.10:

Security issues fixed: - CVE-2015-5289, bsc#949670: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service. - CVE-2015-5288, bsc#949669: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed.

For the full release notes, see: http://www.postgresql.org/docs/current/static/release-9-3-10.html

Other bugs fixed: * Move systemd related stuff and user creation to postgresql-init. * Remove some obsolete %suse_version conditionals. * Relax dependency on libpq to major version. * Fix possible failure to recover from an inconsistent database state. See full release notes for details. * Fix rare failure to invalidate relation cache init file. * Avoid deadlock between incoming sessions and CREATE/DROP DATABASE. * Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans * For the full release notes for 9.3.9 see: http://www.postgresql.org/docs/9.3/static/release-9-3-9.html

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-746=1
• SUSE Linux Enterprise Software Development Kit 12
  zypper in -t patch SUSE-SLE-SDK-12-2015-746=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-746=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-746=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • postgresql93-debuginfo-9.3.10-11.1
  • postgresql93-libs-debugsource-9.3.10-11.1
  • postgresql93-debugsource-9.3.10-11.1
  • postgresql93-9.3.10-11.1
• SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64)
  • postgresql93-devel-debuginfo-9.3.10-11.1
  • postgresql93-libs-debugsource-9.3.10-11.1
  • postgresql93-devel-9.3.10-11.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • postgresql93-server-9.3.10-11.1
  • postgresql93-libs-debugsource-9.3.10-11.1
  • postgresql93-debuginfo-9.3.10-11.1
  • postgresql93-server-debuginfo-9.3.10-11.1
  • postgresql93-contrib-debuginfo-9.3.10-11.1
  • postgresql93-debugsource-9.3.10-11.1
  • postgresql93-contrib-9.3.10-11.1
  • postgresql93-9.3.10-11.1
• SUSE Linux Enterprise Server 12 (noarch)
  • postgresql93-docs-9.3.10-11.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • postgresql93-server-9.3.10-11.1
  • postgresql93-libs-debugsource-9.3.10-11.1
  • postgresql93-debuginfo-9.3.10-11.1
  • postgresql93-server-debuginfo-9.3.10-11.1
  • postgresql93-contrib-debuginfo-9.3.10-11.1
  • postgresql93-debugsource-9.3.10-11.1
  • postgresql93-contrib-9.3.10-11.1
  • postgresql93-9.3.10-11.1
• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • postgresql93-docs-9.3.10-11.1

References:

• https://www.suse.com/security/cve/CVE-2015-5288.html
• https://www.suse.com/security/cve/CVE-2015-5289.html
• https://bugzilla.suse.com/show_bug.cgi?id=949669
• https://bugzilla.suse.com/show_bug.cgi?id=949670