Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : postgresql, postgresql16, postgresql17 (SUSE-SU-2024:4063-1)

high Nessus Plugin ID 212578

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:4063-1 advisory.

 This update ships postgresql17 , and fixes security issues with postgresql16:

 - bsc#1230423: Relax the dependency of extensions on the server version from exact major.minor to greater or equal, after Tom Lane confirmed on the PostgreSQL packagers list that ABI stability is being taken care of between minor releases.

 - bsc#1219340: The last fix was not correct. Improve it by removing the dependency again and call fillup only if it is installed.

 postgresql16 was updated to 16.6:
 * Repair ABI break for extensions that work with struct ResultRelInfo.
 * Restore functionality of ALTER {ROLE|DATABASE} SET role.
 * Fix cases where a logical replication slot's restart_lsn could go backwards.
 * Avoid deleting still-needed WAL files during pg_rewind.
 * Fix race conditions associated with dropping shared statistics entries.
 * Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter.
 * Fix crash when checking to see if an index's opclass options have changed.
 * Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing.
 * https://www.postgresql.org/docs/release/16.6/

 postgresql16 was updated to 16.5:

 * CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference.
 * CVE-2024-10977, bsc#1233325: Make libpq discard error messages received during SSL or GSS protocol negotiation.
 * CVE-2024-10978, bsc#1233326: Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE
 * CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from changing environment variables.
 * https://www.postgresql.org/about/news/p-2955/
 * https://www.postgresql.org/docs/release/16.5/

 - Don't build the libs and mini flavor anymore to hand over to PostgreSQL 17.

 * https://www.postgresql.org/about/news/p-2910/

 postgresql17 is shipped in version 17.2:

 * CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference.
 * CVE-2024-10977, bsc#1233325: Make libpq discard error messages received during SSL or GSS protocol negotiation.
 * CVE-2024-10978, bsc#1233326: Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE
 * CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from changing environment variables.
 * https://www.postgresql.org/about/news/p-2955/
 * https://www.postgresql.org/docs/release/17.1/
 * https://www.postgresql.org/docs/release/17.2/

 Upgrade to 17.2:

 * Repair ABI break for extensions that work with struct ResultRelInfo.
 * Restore functionality of ALTER {ROLE|DATABASE} SET role.
 * Fix cases where a logical replication slot's restart_lsn could go backwards.
 * Avoid deleting still-needed WAL files during pg_rewind.
 * Fix race conditions associated with dropping shared statistics entries.
 * Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter.
 * Fix crash when checking to see if an index's opclass options have changed.
 * Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing.

 Upgrade to 17.0:

 * New memory management system for VACUUM, which reduces memory consumption and can improve overall vacuuming performance.
 * New SQL/JSON capabilities, including constructors, identity functions, and the JSON_TABLE() function, which converts JSON data into a table representation.
 * Various query performance improvements, including for sequential reads using streaming I/O, write throughput under high concurrency, and searches over multiple values in a btree index.
 * Logical replication enhancements, including:
 + Failover control + pg_createsubscriber, a utility that creates logical replicas from physical standbys + pg_upgrade now preserves replication slots on both publishers and subscribers
 * New client-side connection option, sslnegotiation=direct, that performs a direct TLS handshake to avoid a round-trip negotiation.
 * pg_basebackup now supports incremental backup.
 * COPY adds a new option, ON_ERROR ignore, that allows a copy operation to continue in the event of an error.
 * https://www.postgresql.org/about/news/p-2936/
 * https://www.postgresql.org/docs/17/release-17.html

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1219340

https://bugzilla.suse.com/1230423

https://bugzilla.suse.com/1233323

https://bugzilla.suse.com/1233325

https://bugzilla.suse.com/1233326

https://bugzilla.suse.com/1233327

https://www.suse.com/security/cve/CVE-2024-10976

https://www.suse.com/security/cve/CVE-2024-10977

https://www.suse.com/security/cve/CVE-2024-10978

https://www.suse.com/security/cve/CVE-2024-10979

http://www.nessus.org/u?4c5c7292

Plugin Details

Severity: High

ID: 212578

File Name: suse_SU-2024-4063-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/12/2024

Updated: 12/12/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-10979

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:postgresql17, p-cpe:/a:novell:suse_linux:libecpg6, p-cpe:/a:novell:suse_linux:postgresql17-contrib, p-cpe:/a:novell:suse_linux:libpq5-32bit, p-cpe:/a:novell:suse_linux:postgresql16-plpython, p-cpe:/a:novell:suse_linux:postgresql17-llvmjit-devel, p-cpe:/a:novell:suse_linux:postgresql16-devel, p-cpe:/a:novell:suse_linux:postgresql16-pltcl, p-cpe:/a:novell:suse_linux:postgresql, p-cpe:/a:novell:suse_linux:postgresql17-devel, p-cpe:/a:novell:suse_linux:postgresql17-pltcl, p-cpe:/a:novell:suse_linux:postgresql17-server, p-cpe:/a:novell:suse_linux:postgresql-plperl, p-cpe:/a:novell:suse_linux:postgresql16-docs, p-cpe:/a:novell:suse_linux:postgresql16-test, p-cpe:/a:novell:suse_linux:libpq5, p-cpe:/a:novell:suse_linux:postgresql16, p-cpe:/a:novell:suse_linux:postgresql-llvmjit-devel, p-cpe:/a:novell:suse_linux:postgresql17-plpython, p-cpe:/a:novell:suse_linux:postgresql16-server-devel, p-cpe:/a:novell:suse_linux:postgresql17-test, p-cpe:/a:novell:suse_linux:postgresql-server, p-cpe:/a:novell:suse_linux:postgresql-docs, p-cpe:/a:novell:suse_linux:postgresql-llvmjit, p-cpe:/a:novell:suse_linux:postgresql-test, p-cpe:/a:novell:suse_linux:postgresql17-server-devel, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:postgresql-devel, p-cpe:/a:novell:suse_linux:postgresql17-llvmjit, p-cpe:/a:novell:suse_linux:postgresql-server-devel, p-cpe:/a:novell:suse_linux:postgresql16-server, p-cpe:/a:novell:suse_linux:postgresql-contrib, p-cpe:/a:novell:suse_linux:postgresql17-docs, p-cpe:/a:novell:suse_linux:postgresql16-llvmjit, p-cpe:/a:novell:suse_linux:postgresql-plpython, p-cpe:/a:novell:suse_linux:postgresql17-plperl, p-cpe:/a:novell:suse_linux:postgresql16-plperl, p-cpe:/a:novell:suse_linux:postgresql16-contrib, p-cpe:/a:novell:suse_linux:postgresql-pltcl

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/26/2024

Vulnerability Publication Date: 11/12/2024

Reference Information

CVE: CVE-2024-10976, CVE-2024-10977, CVE-2024-10978, CVE-2024-10979

IAVB: 2024-B-0175

SuSE: SUSE-SU-2024:4063-1