openSUSE Security Update : postgresql / postgresql96 / postgresql10 / etc (openSUSE-2020-1228)

high Nessus Plugin ID 139765

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for postgresql, postgresql96, postgresql10, postgresql12 fixes the following issues :

Postgresql12 was updated to 12.3 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/12/release-12-3.html

- Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema.

Also changed in the postgresql wrapper package :

- Bump version to 12.0.1, so that the binary packages also have a cut-point to conflict with.

- Conflict with versions of the binary packages prior to the May 2020 update, because we changed the package layout at that point and need a clean cutover.

- Bump package version to 12, but leave default at 10 for SLE-15 and SLE-15-SP1.

postgresql11 was updated to 11.9 :

- CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers

- CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.

- https://www.postgresql.org/docs/11/release-11-9.html

- Pack the /usr/lib/postgresql symlink only into the main package.

postgresql11 was updated to 11.8 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/11/release-11-8.html

- Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.

- Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (bsc#1148643).

postgresql10 was updated to 10.13 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/10/release-10-13.html

- Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.

- Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (bsc#1148643).

postgresql96 was updated to 9.6.19 :

- CVE-2020-14350, boo#1175194: Make contrib modules' installation scripts more secure.

- https://www.postgresql.org/docs/9.6/release-9-6-19.html

- Pack the /usr/lib/postgresql symlink only into the main package.

- Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema.

- update to 9.6.18 (boo#1171924).
https://www.postgresql.org/about/news/2038/ https://www.postgresql.org/docs/9.6/release-9-6-18.html

- Unify the spec file to work across all current PostgreSQL versions to simplify future maintenance.

- Move from the 'libs' build flavour to a 'mini' package that will only be used inside the build service and not get shipped, to avoid confusion with the debuginfo packages (boo#1148643).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Solution

Update the affected postgresql / postgresql96 / postgresql10 / etc packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1175193

https://bugzilla.opensuse.org/show_bug.cgi?id=1175194

https://www.postgresql.org/about/news/2038/

https://www.postgresql.org/docs/10/release-10-13.html

https://www.postgresql.org/docs/11/release-11-8.html

https://www.postgresql.org/docs/11/release-11-9.html

https://www.postgresql.org/docs/12/release-12-3.html

https://www.postgresql.org/docs/9.6/release-9-6-18.html

https://www.postgresql.org/docs/9.6/release-9-6-19.html

https://bugzilla.opensuse.org/show_bug.cgi?id=1148643

https://bugzilla.opensuse.org/show_bug.cgi?id=1171924

Plugin Details

Severity: High

ID: 139765

File Name: openSUSE-2020-1228.nasl

Version: 1.9

Type: local

Agent: unix

Published: 8/24/2020

Updated: 2/23/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2020-14349

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-14350

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:postgresql10-debugsource, p-cpe:/a:novell:opensuse:postgresql12-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-llvmjit-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-plpython, p-cpe:/a:novell:opensuse:postgresql96-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-contrib, p-cpe:/a:novell:opensuse:postgresql-contrib, p-cpe:/a:novell:opensuse:libecpg6-debuginfo, p-cpe:/a:novell:opensuse:libecpg6, p-cpe:/a:novell:opensuse:postgresql12-plpython, p-cpe:/a:novell:opensuse:postgresql96-pltcl, p-cpe:/a:novell:opensuse:postgresql11-debugsource, p-cpe:/a:novell:opensuse:libpq5-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-server-devel, p-cpe:/a:novell:opensuse:postgresql12-server, p-cpe:/a:novell:opensuse:postgresql10-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql-devel, p-cpe:/a:novell:opensuse:postgresql12-server-devel, p-cpe:/a:novell:opensuse:postgresql12-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql96, p-cpe:/a:novell:opensuse:postgresql12-contrib, p-cpe:/a:novell:opensuse:postgresql96-plpython-debuginfo, p-cpe:/a:novell:opensuse:libecpg6-32bit, p-cpe:/a:novell:opensuse:postgresql11-pltcl, p-cpe:/a:novell:opensuse:postgresql10-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql10, p-cpe:/a:novell:opensuse:postgresql11-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-plperl, p-cpe:/a:novell:opensuse:postgresql12-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-contrib, p-cpe:/a:novell:opensuse:postgresql12-test, p-cpe:/a:novell:opensuse:libpq5-32bit, p-cpe:/a:novell:opensuse:postgresql, p-cpe:/a:novell:opensuse:postgresql10-devel, p-cpe:/a:novell:opensuse:libecpg6-32bit-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-plperl, p-cpe:/a:novell:opensuse:postgresql11-server-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql-pltcl, p-cpe:/a:novell:opensuse:postgresql12-llvmjit-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-debugsource, p-cpe:/a:novell:opensuse:postgresql-test, p-cpe:/a:novell:opensuse:postgresql96-contrib, p-cpe:/a:novell:opensuse:postgresql96-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-plperl, p-cpe:/a:novell:opensuse:postgresql96-contrib-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-llvmjit, p-cpe:/a:novell:opensuse:postgresql96-devel, p-cpe:/a:novell:opensuse:postgresql10-devel-debuginfo, p-cpe:/a:novell:opensuse:libpq5-32bit-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-test, p-cpe:/a:novell:opensuse:postgresql11-plpython, p-cpe:/a:novell:opensuse:postgresql12-devel, p-cpe:/a:novell:opensuse:postgresql-plpython, p-cpe:/a:novell:opensuse:postgresql12-pltcl, p-cpe:/a:novell:opensuse:postgresql10-pltcl-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-plpython, p-cpe:/a:novell:opensuse:postgresql11-plpython-debuginfo, p-cpe:/a:novell:opensuse:postgresql96-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-server, p-cpe:/a:novell:opensuse:postgresql12-llvmjit, p-cpe:/a:novell:opensuse:postgresql10-pltcl, p-cpe:/a:novell:opensuse:postgresql11-debuginfo, p-cpe:/a:novell:opensuse:postgresql11-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-debuginfo, p-cpe:/a:novell:opensuse:postgresql10-server, p-cpe:/a:novell:opensuse:postgresql12-debugsource, p-cpe:/a:novell:opensuse:postgresql96-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql11, p-cpe:/a:novell:opensuse:libpq5, p-cpe:/a:novell:opensuse:postgresql-plperl, p-cpe:/a:novell:opensuse:postgresql10-test, p-cpe:/a:novell:opensuse:postgresql11-devel, p-cpe:/a:novell:opensuse:postgresql96-server, p-cpe:/a:novell:opensuse:postgresql-server, p-cpe:/a:novell:opensuse:postgresql12-plperl, p-cpe:/a:novell:opensuse:postgresql96-server-debuginfo, p-cpe:/a:novell:opensuse:postgresql-server-devel, p-cpe:/a:novell:opensuse:postgresql-llvmjit, p-cpe:/a:novell:opensuse:postgresql96-test, cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:postgresql12-server-devel-debuginfo, p-cpe:/a:novell:opensuse:postgresql12-plperl-debuginfo, p-cpe:/a:novell:opensuse:postgresql12

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 8/17/2020

Vulnerability Publication Date: 8/24/2020

Reference Information

CVE: CVE-2020-14349, CVE-2020-14350

IAVB: 2020-B-0047-S