SUSE-SU-2024:4052-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2024/suse-su-20244052-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:4052-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2024:4052-1
Related
Published
2024-11-25T16:10:40Z
Modified
2024-11-25T16:10:40Z
Summary
Security update for postgresql, postgresql16, postgresql17
Details

This update for postgresql, postgresql16, postgresql17 fixes the following issues:

This update ships postgresql17 , and fixes security issues with postgresql16:

  • bsc#1230423: Relax the dependency of extensions on the server version from exact major.minor to greater or equal, after Tom Lane confirmed on the PostgreSQL packagers list that ABI stability is being taken care of between minor releases.

  • bsc#1219340: The last fix was not correct. Improve it by removing the dependency again and call fillup only if it is installed.

postgresql16 was updated to 16.6: * Repair ABI break for extensions that work with struct ResultRelInfo. * Restore functionality of ALTER {ROLE|DATABASE} SET role. * Fix cases where a logical replication slot's restartlsn could go backwards. * Avoid deleting still-needed WAL files during pgrewind. * Fix race conditions associated with dropping shared statistics entries. * Count index scans in contrib/bloom indexes in the statistics views, such as the pgstatuserindexes.idxscan counter. * Fix crash when checking to see if an index's opclass options have changed. * Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing. * https://www.postgresql.org/docs/release/16.6/

postgresql16 was updated to 16.5:

  • CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference.
  • CVE-2024-10977, bsc#1233325: Make libpq discard error messages received during SSL or GSS protocol negotiation.
  • CVE-2024-10978, bsc#1233326: Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE
  • CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from changing environment variables.
  • https://www.postgresql.org/about/news/p-2955/

  • https://www.postgresql.org/docs/release/16.5/

  • Don't build the libs and mini flavor anymore to hand over to PostgreSQL 17.

    • https://www.postgresql.org/about/news/p-2910/

postgresql17 is shipped in version 17.2:

  • CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference.
  • CVE-2024-10977, bsc#1233325: Make libpq discard error messages received during SSL or GSS protocol negotiation.
  • CVE-2024-10978, bsc#1233326: Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE
  • CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from changing environment variables.
  • https://www.postgresql.org/about/news/p-2955/
  • https://www.postgresql.org/docs/release/17.1/
  • https://www.postgresql.org/docs/release/17.2/

Upgrade to 17.2:

  • Repair ABI break for extensions that work with struct ResultRelInfo.
  • Restore functionality of ALTER {ROLE|DATABASE} SET role.
  • Fix cases where a logical replication slot's restart_lsn could go backwards.
  • Avoid deleting still-needed WAL files during pg_rewind.
  • Fix race conditions associated with dropping shared statistics entries.
  • Count index scans in contrib/bloom indexes in the statistics views, such as the pgstatuserindexes.idxscan counter.
  • Fix crash when checking to see if an index's opclass options have changed.
  • Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing.

Upgrade to 17.0:

  • New memory management system for VACUUM, which reduces memory consumption and can improve overall vacuuming performance.
  • New SQL/JSON capabilities, including constructors, identity functions, and the JSON_TABLE() function, which converts JSON data into a table representation.
  • Various query performance improvements, including for sequential reads using streaming I/O, write throughput under high concurrency, and searches over multiple values in a btree index.
  • Logical replication enhancements, including:
    • Failover control
    • pgcreatesubscriber, a utility that creates logical replicas from physical standbys
    • pgupgrade now preserves replication slots on both publishers and subscribers
  • New client-side connection option, sslnegotiation=direct, that performs a direct TLS handshake to avoid a round-trip negotiation.
  • pg_basebackup now supports incremental backup.
  • COPY adds a new option, ON_ERROR ignore, that allows a copy operation to continue in the event of an error.
  • https://www.postgresql.org/about/news/p-2936/
  • https://www.postgresql.org/docs/17/release-17.html
References

Affected packages

SUSE:Linux Enterprise Server 12 SP5-LTSS / postgresql

Package

Name
postgresql
Purl
pkg:rpm/suse/postgresql&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
17-4.29.1

Ecosystem specific 

{
    "binaries": [
        {
            "libecpg6": "17.2-3.5.1",
            "postgresql-plperl": "17-4.29.1",
            "libpq5-32bit": "17.2-3.5.1",
            "postgresql16-plperl": "16.6-3.21.1",
            "libpq5": "17.2-3.5.1",
            "postgresql-pltcl": "17-4.29.1",
            "postgresql16": "16.6-3.21.1",
            "postgresql-docs": "17-4.29.1",
            "libecpg6-32bit": "17.2-3.5.1",
            "postgresql-plpython": "17-4.29.1",
            "postgresql16-server": "16.6-3.21.1",
            "postgresql16-plpython": "16.6-3.21.1",
            "postgresql16-docs": "16.6-3.21.1",
            "postgresql-contrib": "17-4.29.1",
            "postgresql16-contrib": "16.6-3.21.1",
            "postgresql": "17-4.29.1",
            "postgresql16-pltcl": "16.6-3.21.1",
            "postgresql-server": "17-4.29.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP5-LTSS / postgresql16

Package

Name
postgresql16
Purl
pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.6-3.21.1

Ecosystem specific 

{
    "binaries": [
        {
            "libecpg6": "17.2-3.5.1",
            "postgresql-plperl": "17-4.29.1",
            "libpq5-32bit": "17.2-3.5.1",
            "postgresql16-plperl": "16.6-3.21.1",
            "libpq5": "17.2-3.5.1",
            "postgresql-pltcl": "17-4.29.1",
            "postgresql16": "16.6-3.21.1",
            "postgresql-docs": "17-4.29.1",
            "libecpg6-32bit": "17.2-3.5.1",
            "postgresql-plpython": "17-4.29.1",
            "postgresql16-server": "16.6-3.21.1",
            "postgresql16-plpython": "16.6-3.21.1",
            "postgresql16-docs": "16.6-3.21.1",
            "postgresql-contrib": "17-4.29.1",
            "postgresql16-contrib": "16.6-3.21.1",
            "postgresql": "17-4.29.1",
            "postgresql16-pltcl": "16.6-3.21.1",
            "postgresql-server": "17-4.29.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP5-LTSS / postgresql17

Package

Name
postgresql17
Purl
pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
17.2-3.5.1

Ecosystem specific 

{
    "binaries": [
        {
            "libecpg6": "17.2-3.5.1",
            "postgresql-plperl": "17-4.29.1",
            "libpq5-32bit": "17.2-3.5.1",
            "postgresql16-plperl": "16.6-3.21.1",
            "libpq5": "17.2-3.5.1",
            "postgresql-pltcl": "17-4.29.1",
            "postgresql16": "16.6-3.21.1",
            "postgresql-docs": "17-4.29.1",
            "libecpg6-32bit": "17.2-3.5.1",
            "postgresql-plpython": "17-4.29.1",
            "postgresql16-server": "16.6-3.21.1",
            "postgresql16-plpython": "16.6-3.21.1",
            "postgresql16-docs": "16.6-3.21.1",
            "postgresql-contrib": "17-4.29.1",
            "postgresql16-contrib": "16.6-3.21.1",
            "postgresql": "17-4.29.1",
            "postgresql16-pltcl": "16.6-3.21.1",
            "postgresql-server": "17-4.29.1"
        }
    ]
}

SUSE:Linux Enterprise Server LTSS Extended Security 12 SP5 / postgresql

Package

Name
postgresql
Purl
pkg:rpm/suse/postgresql&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
17-4.29.1

Ecosystem specific 

{
    "binaries": [
        {
            "libecpg6": "17.2-3.5.1",
            "postgresql-plperl": "17-4.29.1",
            "libpq5-32bit": "17.2-3.5.1",
            "postgresql16-plperl": "16.6-3.21.1",
            "libpq5": "17.2-3.5.1",
            "postgresql-pltcl": "17-4.29.1",
            "postgresql16": "16.6-3.21.1",
            "postgresql-docs": "17-4.29.1",
            "libecpg6-32bit": "17.2-3.5.1",
            "postgresql-plpython": "17-4.29.1",
            "postgresql16-server": "16.6-3.21.1",
            "postgresql16-plpython": "16.6-3.21.1",
            "postgresql16-docs": "16.6-3.21.1",
            "postgresql-contrib": "17-4.29.1",
            "postgresql16-contrib": "16.6-3.21.1",
            "postgresql": "17-4.29.1",
            "postgresql16-pltcl": "16.6-3.21.1",
            "postgresql-server": "17-4.29.1"
        }
    ]
}

SUSE:Linux Enterprise Server LTSS Extended Security 12 SP5 / postgresql16

Package

Name
postgresql16
Purl
pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.6-3.21.1

Ecosystem specific 

{
    "binaries": [
        {
            "libecpg6": "17.2-3.5.1",
            "postgresql-plperl": "17-4.29.1",
            "libpq5-32bit": "17.2-3.5.1",
            "postgresql16-plperl": "16.6-3.21.1",
            "libpq5": "17.2-3.5.1",
            "postgresql-pltcl": "17-4.29.1",
            "postgresql16": "16.6-3.21.1",
            "postgresql-docs": "17-4.29.1",
            "libecpg6-32bit": "17.2-3.5.1",
            "postgresql-plpython": "17-4.29.1",
            "postgresql16-server": "16.6-3.21.1",
            "postgresql16-plpython": "16.6-3.21.1",
            "postgresql16-docs": "16.6-3.21.1",
            "postgresql-contrib": "17-4.29.1",
            "postgresql16-contrib": "16.6-3.21.1",
            "postgresql": "17-4.29.1",
            "postgresql16-pltcl": "16.6-3.21.1",
            "postgresql-server": "17-4.29.1"
        }
    ]
}

SUSE:Linux Enterprise Server LTSS Extended Security 12 SP5 / postgresql17

Package

Name
postgresql17
Purl
pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
17.2-3.5.1

Ecosystem specific 

{
    "binaries": [
        {
            "libecpg6": "17.2-3.5.1",
            "postgresql-plperl": "17-4.29.1",
            "libpq5-32bit": "17.2-3.5.1",
            "postgresql16-plperl": "16.6-3.21.1",
            "libpq5": "17.2-3.5.1",
            "postgresql-pltcl": "17-4.29.1",
            "postgresql16": "16.6-3.21.1",
            "postgresql-docs": "17-4.29.1",
            "libecpg6-32bit": "17.2-3.5.1",
            "postgresql-plpython": "17-4.29.1",
            "postgresql16-server": "16.6-3.21.1",
            "postgresql16-plpython": "16.6-3.21.1",
            "postgresql16-docs": "16.6-3.21.1",
            "postgresql-contrib": "17-4.29.1",
            "postgresql16-contrib": "16.6-3.21.1",
            "postgresql": "17-4.29.1",
            "postgresql16-pltcl": "16.6-3.21.1",
            "postgresql-server": "17-4.29.1"
        }
    ]
}