Security update for postgresql94 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:3287-1 Final 1 1 2018-10-22T11:29:54Z current 2018-10-22T11:29:54Z 2018-10-22T11:29:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql94 This update for postgresql94 fixes the following issues: postgresql was updated to 9.4.19: https://www.postgresql.org/docs/current/static/release-9-4-19.html * CVE-2018-10915, bsc#1104199: Fix failure to reset libpq's state fully between connection attempts. postgresql was updated to 9.4.18: - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-9-4-18.html A dump/restore is not required for those running 9.4.X. However, if the function marking mistakes mentioned in the first changelog entry below affect you, you will want to take steps to correct your database catalogs. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-postgresql94-13829,slessp4-postgresql94-13829 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20183287-1/ Link for SUSE-SU-2018:3287-1 https://lists.suse.com/pipermail/sle-security-updates/2018-October/004758.html E-Mail link for SUSE-SU-2018:3287-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1104199 SUSE Bug 1104199 https://www.suse.com/security/cve/CVE-2018-10915/ SUSE CVE CVE-2018-10915 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 postgresql94-devel-9.4.19-0.23.19.1 libecpg6-9.4.19-0.23.19.1 libpq5-9.4.19-0.23.19.1 libpq5-32bit-9.4.19-0.23.19.1 postgresql94-9.4.19-0.23.19.1 postgresql94-contrib-9.4.19-0.23.19.1 postgresql94-docs-9.4.19-0.23.19.1 postgresql94-server-9.4.19-0.23.19.1 libecpg6-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server 11 SP4 libpq5-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server 11 SP4 libpq5-32bit-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server 11 SP4 postgresql94-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server 11 SP4 postgresql94-contrib-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server 11 SP4 postgresql94-docs-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server 11 SP4 postgresql94-server-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server 11 SP4 libecpg6-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libpq5-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libpq5-32bit-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 postgresql94-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 postgresql94-contrib-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 postgresql94-docs-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 postgresql94-server-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 postgresql94-devel-9.4.19-0.23.19.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected. CVE-2018-10915 SUSE Linux Enterprise Server 11 SP4:libecpg6-9.4.19-0.23.19.1 SUSE Linux Enterprise Server 11 SP4:libpq5-32bit-9.4.19-0.23.19.1 SUSE Linux Enterprise Server 11 SP4:libpq5-9.4.19-0.23.19.1 SUSE Linux Enterprise Server 11 SP4:postgresql94-9.4.19-0.23.19.1 SUSE Linux Enterprise Server 11 SP4:postgresql94-contrib-9.4.19-0.23.19.1 SUSE Linux Enterprise Server 11 SP4:postgresql94-docs-9.4.19-0.23.19.1 SUSE Linux Enterprise Server 11 SP4:postgresql94-server-9.4.19-0.23.19.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libecpg6-9.4.19-0.23.19.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpq5-32bit-9.4.19-0.23.19.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpq5-9.4.19-0.23.19.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:postgresql94-9.4.19-0.23.19.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:postgresql94-contrib-9.4.19-0.23.19.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:postgresql94-docs-9.4.19-0.23.19.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:postgresql94-server-9.4.19-0.23.19.1 SUSE Linux Enterprise Software Development Kit 11 SP4:postgresql94-devel-9.4.19-0.23.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183287-1/ https://www.suse.com/security/cve/CVE-2018-10915.html CVE-2018-10915 https://bugzilla.suse.com/1104199 SUSE Bug 1104199 https://bugzilla.suse.com/1140876 SUSE Bug 1140876 https://bugzilla.suse.com/1185814 SUSE Bug 1185814