Security update for postgresql12 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0542-1 Final 1 1 2024-02-20T15:04:38Z current 2024-02-20T15:04:38Z 2024-02-20T15:04:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql12 This update for postgresql12 fixes the following issues: Upgrade to 12.18: - CVE-2024-0985: Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (bsc#1219679). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-542,SUSE-SLE-SDK-12-SP5-2024-542,SUSE-SLE-SERVER-12-SP5-2024-542 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240542-1/ Link for SUSE-SU-2024:0542-1 https://lists.suse.com/pipermail/sle-updates/2024-February/034293.html E-Mail link for SUSE-SU-2024:0542-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219679 SUSE Bug 1219679 https://www.suse.com/security/cve/CVE-2024-0985/ SUSE CVE CVE-2024-0985 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 postgresql12-12.18-3.52.1 postgresql12-contrib-12.18-3.52.1 postgresql12-devel-12.18-3.52.1 postgresql12-docs-12.18-3.52.1 postgresql12-llvmjit-devel-12.18-3.52.1 postgresql12-plperl-12.18-3.52.1 postgresql12-plpython-12.18-3.52.1 postgresql12-pltcl-12.18-3.52.1 postgresql12-server-12.18-3.52.1 postgresql12-server-devel-12.18-3.52.1 postgresql12-test-12.18-3.52.1 postgresql12-12.18-3.52.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-contrib-12.18-3.52.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-docs-12.18-3.52.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-plperl-12.18-3.52.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-plpython-12.18-3.52.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-pltcl-12.18-3.52.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-server-12.18-3.52.1 as a component of SUSE Linux Enterprise Server 12 SP5 postgresql12-12.18-3.52.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-contrib-12.18-3.52.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-docs-12.18-3.52.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-plperl-12.18-3.52.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-plpython-12.18-3.52.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-pltcl-12.18-3.52.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-server-12.18-3.52.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql12-devel-12.18-3.52.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 postgresql12-server-devel-12.18-3.52.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected. CVE-2024-0985 SUSE Linux Enterprise Server 12 SP5:postgresql12-12.18-3.52.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-contrib-12.18-3.52.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-docs-12.18-3.52.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-plperl-12.18-3.52.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-plpython-12.18-3.52.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-pltcl-12.18-3.52.1 SUSE Linux Enterprise Server 12 SP5:postgresql12-server-12.18-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-12.18-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-contrib-12.18-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-docs-12.18-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-plperl-12.18-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-plpython-12.18-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-pltcl-12.18-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:postgresql12-server-12.18-3.52.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql12-devel-12.18-3.52.1 SUSE Linux Enterprise Software Development Kit 12 SP5:postgresql12-server-devel-12.18-3.52.1 important 8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240542-1/ https://www.suse.com/security/cve/CVE-2024-0985.html CVE-2024-0985 https://bugzilla.suse.com/1219679 SUSE Bug 1219679