openSUSE Security Update: Security update for postgresql93 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:2425-1 Rating: important References: #993453 #993454 Cross-References: CVE-2016-5423 CVE-2016-5424 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The postgresql server postgresql93 was updated to 9.3.14 fixes the following issues: Update to version 9.3.14: * Fix possible mis-evaluation of nested CASE-WHEN expressions (CVE-2016-5423, boo#993454) * Fix client programs' handling of special characters in database and role names (CVE-2016-5424, boo#993453) * Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values * Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields * Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates * Fix several one-byte buffer over-reads in to_number() * Avoid unsafe intermediate state during expensive paths through heap_update() * For the other bug fixes, see the release notes: https://www.postgresql.org/docs/9.3/static/release-9-3-14.html Update to version 9.3.13: This update fixes several problems which caused downtime for users, including: - Clearing the OpenSSL error queue before OpenSSL calls, preventing errors in SSL connections, particularly when using the Python, Ruby or PHP OpenSSL wrappers - Fixed the "failed to build N-way joins" planner error - Fixed incorrect handling of equivalence in multilevel nestloop query plans, which could emit rows which didn't match the WHERE clause. - Prevented two memory leaks with using GIN indexes, including a potential index corruption risk. The release also includes many other bug fixes for reported issues, many of which affect all supported versions: - Fix corner-case parser failures occurring when operator_precedence_warning is turned on - Prevent possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() - Correct dumping of VIEWs and RULEs which use ANY (array) in a subselect - Disallow newlines in ALTER SYSTEM parameter values - Avoid possible misbehavior after failing to remove a tablespace symlink - Fix crash in logical decoding on alignment-picky platforms - Avoid repeated requests for feedback from receiver while shutting down walsender - Multiple fixes for pg_upgrade - Support building with Visual Studio 2015 - This update also contains tzdata release 2016d, with updates for Russia, Venezuela, Kirov, and Tomsk. http://www.postgresql.org/docs/current/static/release-9-3-13.html Update to version 9.3.12: - Fix two bugs in indexed ROW() comparisons - Avoid data loss due to renaming files - Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE - Fix bugs in multiple json_ and jsonb_ functions - Log lock waits for INSERT ON CONFLICT correctly - Ignore recovery_min_apply_delay until reaching a consistent state - Fix issue with pg_subtrans XID wraparound - Fix assorted bugs in Logical Decoding - Fix planner error with nested security barrier views - Prevent memory leak in GIN indexes - Fix two issues with ispell dictionaries - Avoid a crash on old Windows versions - Skip creating an erroneous delete script in pg_upgrade - Correctly translate empty arrays into PL/Perl - Make PL/Python cope with identifier names For the full release notes, see: http://www.postgresql.org/docs/9.4/static/release-9-3-12.html Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-1140=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libecpg6-9.3.14-2.13.1 libecpg6-debuginfo-9.3.14-2.13.1 libpq5-9.3.14-2.13.1 libpq5-debuginfo-9.3.14-2.13.1 postgresql93-9.3.14-2.13.1 postgresql93-contrib-9.3.14-2.13.1 postgresql93-contrib-debuginfo-9.3.14-2.13.1 postgresql93-debuginfo-9.3.14-2.13.1 postgresql93-debugsource-9.3.14-2.13.1 postgresql93-devel-9.3.14-2.13.1 postgresql93-devel-debuginfo-9.3.14-2.13.1 postgresql93-libs-debugsource-9.3.14-2.13.1 postgresql93-plperl-9.3.14-2.13.1 postgresql93-plperl-debuginfo-9.3.14-2.13.1 postgresql93-plpython-9.3.14-2.13.1 postgresql93-plpython-debuginfo-9.3.14-2.13.1 postgresql93-pltcl-9.3.14-2.13.1 postgresql93-pltcl-debuginfo-9.3.14-2.13.1 postgresql93-server-9.3.14-2.13.1 postgresql93-server-debuginfo-9.3.14-2.13.1 postgresql93-test-9.3.14-2.13.1 - openSUSE 13.2 (noarch): postgresql93-docs-9.3.14-2.13.1 - openSUSE 13.2 (x86_64): libecpg6-32bit-9.3.14-2.13.1 libecpg6-debuginfo-32bit-9.3.14-2.13.1 libpq5-32bit-9.3.14-2.13.1 libpq5-debuginfo-32bit-9.3.14-2.13.1 References: https://www.suse.com/security/cve/CVE-2016-5423.html https://www.suse.com/security/cve/CVE-2016-5424.html https://bugzilla.suse.com/993453 https://bugzilla.suse.com/993454