SUSE SLED15 / SLES15 Security Update : postgresql10 / postgresql12 (SUSE-SU-2020:2149-1)

medium Nessus Plugin ID 139407

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for postgresql10 and postgresql12 fixes the following issues :

postgresql10 was updated to 10.13 (bsc#1171924).

https://www.postgresql.org/about/news/2038/ https://www.postgresql.org/docs/10/release-10-13.html

postgresql10 was updated to 10.12 (CVE-2020-1720, bsc#1163985)

https://www.postgresql.org/about/news/2011/

https://www.postgresql.org/docs/10/release-10-12.html

postgresql10 was updated to 10.11 :

https://www.postgresql.org/about/news/1994/

https://www.postgresql.org/docs/10/release-10-11.html

postgresql12 was updated to 12.3 (bsc#1171924).

Bug Fixes and Improvements :

Several fixes for GENERATED columns, including an issue where it was possible to crash or corrupt data in a table when the output of the generated column was the exact copy of a physical column on the table, e.g. if the expression called a function which could return its own input.

Several fixes for ALTER TABLE, including ensuring the SET STORAGE directive is propagated to a table's indexes.

Fix a potential race condition when using DROP OWNED BY while another session is deleting the same objects.

Allow for a partition to be detached when it has inherited ROW triggers.

Several fixes for REINDEX CONCURRENTLY, particularly with issues when a REINDEX CONCURRENTLY operation fails.

Fix crash when COLLATE is applied to an uncollatable type in a partition bound expression.

Fix performance regression in floating point overflow/underflow detection.

Several fixes for full text search, particularly with phrase searching.

Fix query-lifespan memory leak for a set-returning function used in a query's FROM clause.

Several reporting fixes for the output of VACUUM VERBOSE.

Allow input of type circle to accept the format (x,y),r, which is specified in the documentation.

Allow for the get_bit() and set_bit() functions to not fail on bytea strings longer than 256MB.

Avoid premature recycling of WAL segments during crash recovery, which could lead to WAL segments being recycled before being archived.

Avoid attempting to fetch nonexistent WAL files from archive storage during recovery by skipping irrelevant timelines.

Several fixes for logical replication and replication slots.

Fix several race conditions in synchronous standby management, including one that occurred when changing the synchronous_standby_names setting.

Several fixes for GSSAPI support, include a fix for a memory leak that occurred when using GSSAPI encryption.

Ensure that members of the pg_read_all_stats role can read all statistics views.

Fix performance regression in information_schema.triggers view.

Fix memory leak in libpq when using sslmode=verify-full.

Fix crash in psql when attempting to re-establish a failed connection.

Allow tab-completion of the filename argument to \gx command in psql.

Add pg_dump support for ALTER ... DEPENDS ON EXTENSION.

Several other fixes for pg_dump, which include dumping comments on RLS policies and postponing restore of event triggers until the end.

Ensure pg_basebackup generates valid tar files.

pg_checksums skips tablespace subdirectories that belong to a different PostgreSQL major version

Several Windows compatibility fixes

This update also contains timezone tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai. The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage ; however, the old name remains available as a compatibility link. This also updates initdb's list of known Windows time zone names to include recent additions.

For more details, check out :

https://www.postgresql.org/docs/12/release-12-3.html

Other fixes :

Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server for SAP 15 :

zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-2149=1

SUSE Linux Enterprise Server 15-LTSS :

zypper in -t patch SUSE-SLE-Product-SLES-15-2020-2149=1

SUSE Linux Enterprise Module for Server Applications 15-SP1 :

zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-2149=1

SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 :

zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-2149=1

SUSE Linux Enterprise Module for Basesystem 15-SP1 :

zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-2149=1

SUSE Linux Enterprise High Performance Computing 15-LTSS :

zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2149=1

SUSE Linux Enterprise High Performance Computing 15-ESPOS :

zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2149=1

Plugin Details

Severity: Medium

ID: 139407

File Name: suse_SU-2020-2149-1.nasl

Version: 1.4

Type: local

Agent: unix

Family: SuSE Local Security Checks

Published: 8/7/2020

Updated: 1/13/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-1720

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:postgresql10-plperl-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-server-debuginfo, p-cpe:/a:novell:suse_linux:postgresql12-plpython, p-cpe:/a:novell:suse_linux:postgresql12-plpython-debuginfo, p-cpe:/a:novell:suse_linux:postgresql12, p-cpe:/a:novell:suse_linux:libpq5-32bit-debuginfo, p-cpe:/a:novell:suse_linux:libecpg6, p-cpe:/a:novell:suse_linux:postgresql12-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-plpython-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-debugsource, p-cpe:/a:novell:suse_linux:postgresql12-server-debuginfo, p-cpe:/a:novell:suse_linux:postgresql12-debugsource, p-cpe:/a:novell:suse_linux:postgresql12-pltcl, p-cpe:/a:novell:suse_linux:postgresql12-devel-debuginfo, p-cpe:/a:novell:suse_linux:postgresql12-devel, p-cpe:/a:novell:suse_linux:postgresql12-contrib-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-plpython, p-cpe:/a:novell:suse_linux:postgresql12-server-devel-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-devel, p-cpe:/a:novell:suse_linux:postgresql12-contrib, p-cpe:/a:novell:suse_linux:postgresql10, p-cpe:/a:novell:suse_linux:libpq5, p-cpe:/a:novell:suse_linux:postgresql10-debuginfo, p-cpe:/a:novell:suse_linux:libecpg6-debuginfo, p-cpe:/a:novell:suse_linux:postgresql12-plperl, p-cpe:/a:novell:suse_linux:libpq5-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-contrib-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-plperl, p-cpe:/a:novell:suse_linux:postgresql12-server, p-cpe:/a:novell:suse_linux:postgresql12-pltcl-debuginfo, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:postgresql12-server-devel, p-cpe:/a:novell:suse_linux:postgresql10-pltcl-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-contrib, p-cpe:/a:novell:suse_linux:postgresql10-pltcl, p-cpe:/a:novell:suse_linux:postgresql12-plperl-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-devel-debuginfo, p-cpe:/a:novell:suse_linux:postgresql10-server

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 8/6/2020

Vulnerability Publication Date: 3/17/2020

Reference Information

CVE: CVE-2020-1720

Detections

Analytics