Security update for postgresql10 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:2355-1 Final 1 1 2020-08-27T16:26:21Z current 2020-08-27T16:26:21Z 2020-08-27T16:26:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql10 This update for postgresql10 fixes the following issues: - update to 10.14: * CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers * CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure. * https://www.postgresql.org/docs/10/release-10-14.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/postgres:10-2020-2355,Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server-2020-2355,Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server-2020-2355,Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server-2020-2355,SUSE-2020-2355,SUSE-SLE-Module-Basesystem-15-SP1-2020-2355,SUSE-SLE-Module-Basesystem-15-SP2-2020-2355,SUSE-SLE-Module-Server-Applications-15-SP1-2020-2355,SUSE-SLE-Module-Server-Applications-15-SP2-2020-2355 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20202355-1/ Link for SUSE-SU-2020:2355-1 https://lists.suse.com/pipermail/sle-security-updates/2020-August/007312.html E-Mail link for SUSE-SU-2020:2355-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1175193 SUSE Bug 1175193 https://bugzilla.suse.com/1175194 SUSE Bug 1175194 https://www.suse.com/security/cve/CVE-2020-14349/ SUSE CVE CVE-2020-14349 page https://www.suse.com/security/cve/CVE-2020-14350/ SUSE CVE CVE-2020-14350 page Container suse/postgres:10 Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP1 SUSE Linux Enterprise Module for Server Applications 15 SP2 postgresql10-10.14-8.19.1 postgresql10-server-10.14-8.19.1 postgresql10-contrib-10.14-8.19.1 postgresql10-devel-10.14-8.19.1 postgresql10-docs-10.14-8.19.1 postgresql10-plperl-10.14-8.19.1 postgresql10-plpython-10.14-8.19.1 postgresql10-pltcl-10.14-8.19.1 postgresql10-test-10.14-8.19.1 postgresql10-10.14-8.19.1 as a component of Container suse/postgres:10 postgresql10-server-10.14-8.19.1 as a component of Container suse/postgres:10 postgresql10-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server postgresql10-contrib-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server postgresql10-server-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server postgresql10-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server postgresql10-contrib-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server postgresql10-server-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server postgresql10-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server postgresql10-contrib-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server postgresql10-server-10.14-8.19.1 as a component of Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server postgresql10-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 postgresql10-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 postgresql10-contrib-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 postgresql10-devel-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 postgresql10-docs-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 postgresql10-plperl-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 postgresql10-plpython-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 postgresql10-pltcl-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 postgresql10-server-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 postgresql10-contrib-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 postgresql10-devel-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 postgresql10-docs-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 postgresql10-plperl-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 postgresql10-plpython-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 postgresql10-pltcl-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 postgresql10-server-10.14-8.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. CVE-2020-14349 Container suse/postgres:10:postgresql10-10.14-8.19.1 Container suse/postgres:10:postgresql10-server-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:postgresql10-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:postgresql10-contrib-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:postgresql10-server-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:postgresql10-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:postgresql10-contrib-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:postgresql10-server-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:postgresql10-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:postgresql10-contrib-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:postgresql10-server-10.14-8.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:postgresql10-10.14-8.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:postgresql10-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-contrib-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-devel-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-docs-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-plperl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-plpython-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-pltcl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-server-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-contrib-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-devel-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-docs-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-plperl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-plpython-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-pltcl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-server-10.14-8.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202355-1/ https://www.suse.com/security/cve/CVE-2020-14349.html CVE-2020-14349 https://bugzilla.suse.com/1175193 SUSE Bug 1175193 https://bugzilla.suse.com/1176151 SUSE Bug 1176151 https://bugzilla.suse.com/1179499 SUSE Bug 1179499 https://bugzilla.suse.com/1179870 SUSE Bug 1179870 It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. CVE-2020-14350 Container suse/postgres:10:postgresql10-10.14-8.19.1 Container suse/postgres:10:postgresql10-server-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:postgresql10-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:postgresql10-contrib-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:postgresql10-server-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:postgresql10-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:postgresql10-contrib-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server:postgresql10-server-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:postgresql10-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:postgresql10-contrib-10.14-8.19.1 Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server:postgresql10-server-10.14-8.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:postgresql10-10.14-8.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:postgresql10-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-contrib-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-devel-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-docs-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-plperl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-plpython-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-pltcl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP1:postgresql10-server-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-contrib-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-devel-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-docs-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-plperl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-plpython-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-pltcl-10.14-8.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:postgresql10-server-10.14-8.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202355-1/ https://www.suse.com/security/cve/CVE-2020-14350.html CVE-2020-14350 https://bugzilla.suse.com/1175194 SUSE Bug 1175194 https://bugzilla.suse.com/1176151 SUSE Bug 1176151 https://bugzilla.suse.com/1179115 SUSE Bug 1179115 https://bugzilla.suse.com/1179499 SUSE Bug 1179499 https://bugzilla.suse.com/1179870 SUSE Bug 1179870