File _patchinfo of Package patchinfo.17155

<patchinfo incident="17155">
  <issue tracker="cve" id="2020-25695"/>
  <issue tracker="cve" id="2020-25694"/>
  <issue tracker="cve" id="2020-25696"/>
  <issue tracker="bnc" id="1178667">VUL-0: CVE-2020-25694: postgresql96,postgresql10,postgresql12: Fix usage of complex connection-string parameters in pg_ tools</issue>
  <issue tracker="bnc" id="1178666">VUL-0: CVE-2020-25695: postgresql96,postgresql10,postgresql12: potential query escalation</issue>
  <issue tracker="bnc" id="1178668">VUL-0: CVE-2020-25696: postgresql96,postgresql10,postgresql12: \gset command from modifying specially-treated variables</issue>
  <summary>Security update for postgresql10</summary>
  <description>This update for postgresql10 fixes the following issues:

- Upgrade to version 10.15:
  * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
    and firing of deferred triggers within index expressions and
    materialized view queries.
  * CVE-2020-25694, bsc#1178667:
    a) Fix usage of complex connection-string parameters in pg_dump,
    pg_restore, clusterdb, reindexdb, and vacuumdb.
    b) When psql's \connect command re-uses connection parameters,
    ensure that all non-overridden parameters from a previous
    connection string are re-used.
  * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
    modifying specially-treated variables.
  * Fix recently-added timetz test case so it works when the USA
    is not observing daylight savings time.
openSUSE Build Service is sponsored by