security-announce: openSUSE-SU-2020:1228-1: moderate: Security update for postgresql, postgresql96, postgresql10, postgresql12
openSUSE Security Update: Security update for postgresql, postgresql96, postgresql10, postgresql12
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:1228-1
Rating: moderate
References: #1148643 #1171924 #1175193 #1175194
Cross-References: CVE-2020-14349 CVE-2020-14350
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves two vulnerabilities and has two fixes
is now available.
Description:
This update for postgresql, postgresql96, postgresql10, postgresql12 fixes
the following issues:
Postgresql12 was updated to 12.3 (bsc#1171924).
- https://www.postgresql.org/about/news/2038/
- https://www.postgresql.org/docs/12/release-12-3.html
- Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean
and complete cutover to the new packaging schema.
Also changed in the postgresql wrapper package:
- Bump version to 12.0.1, so that the binary packages also have a
cut-point to conflict with.
- Conflict with versions of the binary packages prior to the May 2020
update, because we changed the package layout at that point and need a
clean cutover.
- Bump package version to 12, but leave default at 10 for SLE-15 and
SLE-15-SP1.
postgresql11 was updated to 11.9:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in logical
replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts
more secure.
* https://www.postgresql.org/docs/11/release-11-9.html
- Pack the /usr/lib/postgresql symlink only into the main package.
postgresql11 was updated to 11.8 (bsc#1171924).
* https://www.postgresql.org/about/news/2038/
* https://www.postgresql.org/docs/11/release-11-8.html
- Unify the spec file to work across all current PostgreSQL versions to
simplify future maintenance.
- Move from the "libs" build flavour to a "mini" package that will
only be used inside the build service and not get shipped, to avoid
confusion with the debuginfo packages (bsc#1148643).
postgresql10 was updated to 10.13 (bsc#1171924).
- https://www.postgresql.org/about/news/2038/
- https://www.postgresql.org/docs/10/release-10-13.html
- Unify the spec file to work across all current PostgreSQL versions to
simplify future maintenance.
- Move from the "libs" build flavour to a "mini" package that will
only be used inside the build service and not get shipped, to avoid
confusion with the debuginfo packages (bsc#1148643).
postgresql96 was updated to 9.6.19:
* CVE-2020-14350, boo#1175194: Make contrib modules' installation
scripts more secure.
* https://www.postgresql.org/docs/9.6/release-9-6-19.html
- Pack the /usr/lib/postgresql symlink only into the main package.
- Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean
and complete cutover to the new packaging schema.
- update to 9.6.18 (boo#1171924).
https://www.postgresql.org/about/news/2038/
https://www.postgresql.org/docs/9.6/release-9-6-18.html
- Unify the spec file to work across all current PostgreSQL versions to
simplify future maintenance.
- Move from the "libs" build flavour to a "mini" package that will
only be used inside the build service and not get shipped, to avoid
confusion with the debuginfo packages (boo#1148643).
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-1228=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
libecpg6-12.3-lp152.3.4.1
libecpg6-debuginfo-12.3-lp152.3.4.1
libpq5-12.3-lp152.3.4.1
libpq5-debuginfo-12.3-lp152.3.4.1
postgresql10-10.13-lp152.2.3.1
postgresql10-contrib-10.13-lp152.2.3.1
postgresql10-contrib-debuginfo-10.13-lp152.2.3.1
postgresql10-debuginfo-10.13-lp152.2.3.1
postgresql10-debugsource-10.13-lp152.2.3.1
postgresql10-devel-10.13-lp152.2.3.1
postgresql10-devel-debuginfo-10.13-lp152.2.3.1
postgresql10-plperl-10.13-lp152.2.3.1
postgresql10-plperl-debuginfo-10.13-lp152.2.3.1
postgresql10-plpython-10.13-lp152.2.3.1
postgresql10-plpython-debuginfo-10.13-lp152.2.3.1
postgresql10-pltcl-10.13-lp152.2.3.1
postgresql10-pltcl-debuginfo-10.13-lp152.2.3.1
postgresql10-server-10.13-lp152.2.3.1
postgresql10-server-debuginfo-10.13-lp152.2.3.1
postgresql10-test-10.13-lp152.2.3.1
postgresql12-12.3-lp152.3.4.1
postgresql12-contrib-12.3-lp152.3.4.1
postgresql12-contrib-debuginfo-12.3-lp152.3.4.1
postgresql12-debuginfo-12.3-lp152.3.4.1
postgresql12-debugsource-12.3-lp152.3.4.1
postgresql12-devel-12.3-lp152.3.4.1
postgresql12-devel-debuginfo-12.3-lp152.3.4.1
postgresql12-llvmjit-12.3-lp152.3.4.1
postgresql12-llvmjit-debuginfo-12.3-lp152.3.4.1
postgresql12-plperl-12.3-lp152.3.4.1
postgresql12-plperl-debuginfo-12.3-lp152.3.4.1
postgresql12-plpython-12.3-lp152.3.4.1
postgresql12-plpython-debuginfo-12.3-lp152.3.4.1
postgresql12-pltcl-12.3-lp152.3.4.1
postgresql12-pltcl-debuginfo-12.3-lp152.3.4.1
postgresql12-server-12.3-lp152.3.4.1
postgresql12-server-debuginfo-12.3-lp152.3.4.1
postgresql12-server-devel-12.3-lp152.3.4.1
postgresql12-server-devel-debuginfo-12.3-lp152.3.4.1
postgresql12-test-12.3-lp152.3.4.1
postgresql96-9.6.19-lp152.2.3.1
postgresql96-contrib-9.6.19-lp152.2.3.1
postgresql96-contrib-debuginfo-9.6.19-lp152.2.3.1
postgresql96-debuginfo-9.6.19-lp152.2.3.1
postgresql96-debugsource-9.6.19-lp152.2.3.1
postgresql96-devel-9.6.19-lp152.2.3.1
postgresql96-devel-debuginfo-9.6.19-lp152.2.3.1
postgresql96-plperl-9.6.19-lp152.2.3.1
postgresql96-plperl-debuginfo-9.6.19-lp152.2.3.1
postgresql96-plpython-9.6.19-lp152.2.3.1
postgresql96-plpython-debuginfo-9.6.19-lp152.2.3.1
postgresql96-pltcl-9.6.19-lp152.2.3.1
postgresql96-pltcl-debuginfo-9.6.19-lp152.2.3.1
postgresql96-server-9.6.19-lp152.2.3.1
postgresql96-server-debuginfo-9.6.19-lp152.2.3.1
postgresql96-test-9.6.19-lp152.2.3.1
- openSUSE Leap 15.2 (noarch):
postgresql-12.0.1-lp152.3.3.2
postgresql-contrib-12.0.1-lp152.3.3.2
postgresql-devel-12.0.1-lp152.3.3.2
postgresql-docs-12.0.1-lp152.3.3.2
postgresql-llvmjit-12.0.1-lp152.3.3.2
postgresql-plperl-12.0.1-lp152.3.3.2
postgresql-plpython-12.0.1-lp152.3.3.2
postgresql-pltcl-12.0.1-lp152.3.3.2
postgresql-server-12.0.1-lp152.3.3.2
postgresql-server-devel-12.0.1-lp152.3.3.2
postgresql-test-12.0.1-lp152.3.3.2
postgresql10-docs-10.13-lp152.2.3.1
postgresql11-docs-11.9-lp152.3.3.1
postgresql12-docs-12.3-lp152.3.4.1
postgresql96-docs-9.6.19-lp152.2.3.1
- openSUSE Leap 15.2 (x86_64):
libecpg6-32bit-12.3-lp152.3.4.1
libecpg6-32bit-debuginfo-12.3-lp152.3.4.1
libpq5-32bit-12.3-lp152.3.4.1
libpq5-32bit-debuginfo-12.3-lp152.3.4.1
postgresql11-11.9-lp152.3.3.1
postgresql11-contrib-11.9-lp152.3.3.1
postgresql11-contrib-debuginfo-11.9-lp152.3.3.1
postgresql11-debuginfo-11.9-lp152.3.3.1
postgresql11-debugsource-11.9-lp152.3.3.1
postgresql11-devel-11.9-lp152.3.3.1
postgresql11-devel-debuginfo-11.9-lp152.3.3.1
postgresql11-llvmjit-11.9-lp152.3.3.1
postgresql11-llvmjit-debuginfo-11.9-lp152.3.3.1
postgresql11-plperl-11.9-lp152.3.3.1
postgresql11-plperl-debuginfo-11.9-lp152.3.3.1
postgresql11-plpython-11.9-lp152.3.3.1
postgresql11-plpython-debuginfo-11.9-lp152.3.3.1
postgresql11-pltcl-11.9-lp152.3.3.1
postgresql11-pltcl-debuginfo-11.9-lp152.3.3.1
postgresql11-server-11.9-lp152.3.3.1
postgresql11-server-debuginfo-11.9-lp152.3.3.1
postgresql11-server-devel-11.9-lp152.3.3.1
postgresql11-server-devel-debuginfo-11.9-lp152.3.3.1
postgresql11-test-11.9-lp152.3.3.1
References:
https://www.suse.com/security/cve/CVE-2020-14349.html
https://www.suse.com/security/cve/CVE-2020-14350.html
https://bugzilla.suse.com/1148643
https://bugzilla.suse.com/1171924
https://bugzilla.suse.com/1175193
https://bugzilla.suse.com/1175194
Updated postgresql96, postgresql10, and postgresql12 packages has been released for openSUSE Leap 15.2.
