Overview

File _patchinfo of Package patchinfo.17151

<patchinfo incident="17151">
  <issue tracker="cve" id="2020-25695"/>
  <issue tracker="cve" id="2020-25696"/>
  <issue tracker="cve" id="2020-25694"/>
  <issue tracker="cve" id="2020-14349"/>
  <issue tracker="cve" id="2020-14350"/>
  <issue tracker="bnc" id="1178668">VUL-0: CVE-2020-25696: postgresql96,postgresql10,postgresql12: \gset command from modifying specially-treated variables</issue>
  <issue tracker="bnc" id="1178666">VUL-0: CVE-2020-25695: postgresql96,postgresql10,postgresql12: potential query escalation</issue>
  <issue tracker="bnc" id="1178667">VUL-0: CVE-2020-25694: postgresql96,postgresql10,postgresql12: Fix usage of complex connection-string parameters in pg_ tools</issue>
  <issue tracker="bnc" id="1175193">VUL-0: CVE-2020-14349: postgresql10,postgresql12: Set a secure search_path in logical replication walsenders and apply workers</issue>
  <issue tracker="bnc" id="1175194">VUL-0: CVE-2020-14350: postgresql96,postgresql10,postgresql12: Make contrib modules' installation scripts more secure</issue>
  <packager>rmax</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for postgresql10</summary>
  <description>This update for postgresql10 fixes the following issues:

Upgrade to version 10.15:

  * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
    and firing of deferred triggers within index expressions and
    materialized view queries.
  * CVE-2020-25694, bsc#1178667:
    a) Fix usage of complex connection-string parameters in pg_dump,
    pg_restore, clusterdb, reindexdb, and vacuumdb.
    b) When psql's \connect command re-uses connection parameters,
    ensure that all non-overridden parameters from a previous
    connection string are re-used.
  * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
    modifying specially-treated variables.
  * https://www.postgresql.org/about/news/2111/
  * https://www.postgresql.org/docs/10/release-10-15.html

Update to 10.14:

  * CVE-2020-14349, bsc#1175193: Set a secure search_path in
    logical replication walsenders and apply workers
  * CVE-2020-14350, bsc#1175194: Make contrib modules' installation
    scripts more secure.
  * https://www.postgresql.org/docs/10/release-10-14.html

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places