Overview Details

File _patchinfo of Package patchinfo

<patchinfo incident="7830">
  <issue id="1067844" tracker="bnc">VUL-0: CVE-2017-15098: postgresql94,postgresql96: Memory disclosure in JSON functions</issue>
  <issue id="1067841" tracker="bnc">VUL-0: CVE-2017-15099: postgresql96: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges</issue>
  <issue id="1051684" tracker="bnc">VUL-0: CVE-2017-7546: postgresql,postgresql94,postgresql96: Empty password accepted in some authentication methods</issue>
  <issue id="1051685" tracker="bnc">VUL-0: CVE-2017-7547: postgresql,postgresql94,postgresql96: pg_user_mappings view discloses passwords to users lacking server privileges</issue>
  <issue id="1077983" tracker="bnc">VUL-0: CVE-2018-1053: postgresql91,postgresql96,postgresql,postgresql94: pg_upgrade creates file of sensitive metadata under prevailing umask</issue>
  <issue id="1079757" tracker="bnc">[glibc2.27] postgresql10 fails to build</issue>
  <issue id="1053259" tracker="bnc">VUL-0: CVE-2017-7548: postgresql94,postgresql96,postgresql,postgresql93: lo_put() function ignores ACLs</issue>
  <issue id="2017-7548" tracker="cve" />
  <issue id="2017-7546" tracker="cve" />
  <issue id="2017-7547" tracker="cve" />
  <issue id="2018-1053" tracker="cve" />
  <issue id="2017-15098" tracker="cve" />
  <issue id="2017-15099" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>AndreasStieger</packager>
  <description>This update for postgresql95 fixes the following issues:

Upate to PostgreSQL 9.5.11:

Security issues fixed:

  * https://www.postgresql.org/docs/9.5/static/release-9-5-11.html 
  * CVE-2018-1053, boo#1077983: Ensure that all temporary files 
    made by pg_upgrade are non-world-readable. 
  * boo#1079757: Rename pg_rewind's copy_file_range function to 
    avoid conflict with new Linux system call of that name.

In version 9.5.10:

  * https://www.postgresql.org/docs/9.5/static/release-9-5-10.html
  * CVE-2017-15098, boo#1067844: Memory disclosure in JSON
    functions.
  * CVE-2017-15099, boo#1067841: INSERT ... ON CONFLICT DO UPDATE 
    fails to enforce SELECT privileges.

In version 9.5.9:

  * https://www.postgresql.org/docs/9.5/static/release-9-5-9.html
  * Show foreign tables in information_schema.table_privileges
    view.
  * Clean up handling of a fatal exit (e.g., due to receipt of
    SIGTERM) that occurs while trying to execute a ROLLBACK of a
    failed transaction.
  * Remove assertion that could trigger during a fatal exit.
  * Correctly identify columns that are of a range type or domain
    type over a composite type or domain type being searched for.
  * Fix crash in pg_restore when using parallel mode and using a
    list file to select a subset of items to restore.
  * Change ecpg's parser to allow RETURNING clauses without
    attached C variables.

In version 9.5.8

  * https://www.postgresql.org/docs/9.5/static/release-9-5-8.html
  * CVE-2017-7547, boo#1051685: Further restrict visibility of
    pg_user_mappings.umoptions, to protect passwords stored as
    user mapping options.
  * CVE-2017-7546, boo#1051684: Disallow empty passwords in all
    password-based authentication methods.
  * CVE-2017-7548, boo#1053259: lo_put() function ignores ACLs.

</description>
  <summary>Security update for postgresql95</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places