openSUSE Security Update: Security update for postgresql93
______________________________________________________________________________

Announcement ID: openSUSE-SU-2016:2425-1
Rating: important
References: #993453 #993454
Cross-References: CVE-2016-5423 CVE-2016-5424
Affected Products:
openSUSE 13.2
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

The postgresql server postgresql93 was updated to 9.3.14 fixes the
following issues:

Update to version 9.3.14:
* Fix possible mis-evaluation of nested CASE-WHEN expressions
(CVE-2016-5423, boo#993454)
* Fix client programs’ handling of special characters in database and role
names (CVE-2016-5424, boo#993453)
* Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested
composite values
* Make the inet and cidr data types properly reject IPv6 addresses with
too many colon-separated fields
* Prevent crash in close_ps() (the point ## lseg operator) for NaN input
coordinates
* Fix several one-byte buffer over-reads in to_number()
* Avoid unsafe intermediate state during expensive paths through
heap_update()
* For the other bug fixes, see the release notes:
https://www.postgresql.org/docs/9.3/static/release-9-3-14.html

Update to version 9.3.13:

This update fixes several problems which caused downtime for users,
including:
– Clearing the OpenSSL error queue before OpenSSL calls, preventing errors
in SSL connections, particularly when using the Python, Ruby or PHP
OpenSSL wrappers
– Fixed the “failed to build N-way joins” planner error
– Fixed incorrect handling of equivalence in multilevel nestloop query
plans, which could emit rows which didn’t match the WHERE clause.
– Prevented two memory leaks with using GIN indexes, including a potential
index corruption risk. The release also includes many other bug fixes
for reported issues, many of which affect all supported versions:
– Fix corner-case parser failures occurring when
operator_precedence_warning is turned on
– Prevent possible misbehavior of TH, th, and Y,YYY format codes in
to_timestamp()
– Correct dumping of VIEWs and RULEs which use ANY (array) in a subselect
– Disallow newlines in ALTER SYSTEM parameter values
– Avoid possible misbehavior after failing to remove a tablespace symlink
– Fix crash in logical decoding on alignment-picky platforms
– Avoid repeated requests for feedback from receiver while shutting down
walsender
– Multiple fixes for pg_upgrade
– Support building with Visual Studio 2015
– This update also contains tzdata release 2016d, with updates for Russia,
Venezuela, Kirov, and Tomsk.
http://www.postgresql.org/docs/current/static/release-9-3-13.html

Update to version 9.3.12:

– Fix two bugs in indexed ROW() comparisons
– Avoid data loss due to renaming files
– Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE
– Fix bugs in multiple json_ and jsonb_ functions
– Log lock waits for INSERT ON CONFLICT correctly
– Ignore recovery_min_apply_delay until reaching a consistent state
– Fix issue with pg_subtrans XID wraparound
– Fix assorted bugs in Logical Decoding
– Fix planner error with nested security barrier views
– Prevent memory leak in GIN indexes
– Fix two issues with ispell dictionaries
– Avoid a crash on old Windows versions
– Skip creating an erroneous delete script in pg_upgrade
– Correctly translate empty arrays into PL/Perl
– Make PL/Python cope with identifier names

For the full release notes, see:
http://www.postgresql.org/docs/9.4/static/release-9-3-12.html

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 13.2:

zypper in -t patch openSUSE-2016-1140=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 13.2 (i586 x86_64):

libecpg6-9.3.14-2.13.1
libecpg6-debuginfo-9.3.14-2.13.1
libpq5-9.3.14-2.13.1
libpq5-debuginfo-9.3.14-2.13.1
postgresql93-9.3.14-2.13.1
postgresql93-contrib-9.3.14-2.13.1
postgresql93-contrib-debuginfo-9.3.14-2.13.1
postgresql93-debuginfo-9.3.14-2.13.1
postgresql93-debugsource-9.3.14-2.13.1
postgresql93-devel-9.3.14-2.13.1
postgresql93-devel-debuginfo-9.3.14-2.13.1
postgresql93-libs-debugsource-9.3.14-2.13.1
postgresql93-plperl-9.3.14-2.13.1
postgresql93-plperl-debuginfo-9.3.14-2.13.1
postgresql93-plpython-9.3.14-2.13.1
postgresql93-plpython-debuginfo-9.3.14-2.13.1
postgresql93-pltcl-9.3.14-2.13.1
postgresql93-pltcl-debuginfo-9.3.14-2.13.1
postgresql93-server-9.3.14-2.13.1
postgresql93-server-debuginfo-9.3.14-2.13.1
postgresql93-test-9.3.14-2.13.1

– openSUSE 13.2 (noarch):

postgresql93-docs-9.3.14-2.13.1

– openSUSE 13.2 (x86_64):

libecpg6-32bit-9.3.14-2.13.1
libecpg6-debuginfo-32bit-9.3.14-2.13.1
libpq5-32bit-9.3.14-2.13.1
libpq5-debuginfo-32bit-9.3.14-2.13.1

References:

https://www.suse.com/security/cve/CVE-2016-5423.html
https://www.suse.com/security/cve/CVE-2016-5424.html
https://bugzilla.suse.com/993453
https://bugzilla.suse.com/993454

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org