Feature update for ongres-scram, ongres-stringprep, postgresql-jdbc SUSE Patch security@suse.de SUSE Security Team SUSE-FU-2022:2794-1 Final 1 1 2022-08-12T09:14:03Z current 2022-08-12T09:14:03Z 2022-08-12T09:14:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Feature update for ongres-scram, ongres-stringprep, postgresql-jdbc This feature update for ongres-scram, ongres-stringprep, postgresql-jdbc provides: ongres-scram: - Upgrade from version 1.0.0-beta.2 to version 2.1. (jsc#SLE-23994) * Add standard `SASLPrep` (bsc#1196693, jsc#SLE-23994) * Failover to bouncy castle implementation of `PBKDF2WithHmacSHA256` to support Oracle JDK 7 * Updated `saslprep` to version 1.1 to remove a build dependency coming from the `stringprep` module ongres-stringprep: - Introduce `ongres-stringprep` 1.1 as dependency of `ongres-scram`. (bsc#1196693, jsc#SLE-23994) postgresql-jdbc: - CVE-2022-26520: Fixed arbitrary File Write Vulnerability (bsc#1197356) - Upgrade postgresql-jdbc from version 42.2.16 to version 42.2.25 (jsc#SLE-23994) * Use `SASLprep` normalization for SCRAM authentication and fixes issues with spaces in passwords. (bsc#1196693) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2022-2794,Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM-2022-2794,Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE-2022-2794,SUSE-2022-2794,SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-2794,SUSE-SLE-Module-Server-Applications-15-SP3-2022-2794,openSUSE-SLE-15.3-2022-2794 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/-2022-2794/suse-fu-20222794-1/ Link for SUSE-FU-2022:2794-1 https://lists.suse.com/pipermail/sle-updates/2022-August/024432.html E-Mail link for SUSE-FU-2022:2794-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1196693 SUSE Bug 1196693 https://bugzilla.suse.com/1197356 SUSE Bug 1197356 https://www.suse.com/security/cve/CVE-2022-26520/ SUSE CVE CVE-2022-26520 page Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Manager Server Module 4.2 openSUSE Leap 15.3 ongres-scram-2.1-150300.3.3.4 ongres-scram-client-2.1-150300.3.3.4 ongres-stringprep-1.1-150300.7.3.4 ongres-stringprep-saslprep-1.1-150300.7.3.4 postgresql-jdbc-42.2.25-150300.3.5.2 ongres-scram-javadoc-2.1-150300.3.3.4 ongres-scram-parent-2.1-150300.3.3.4 ongres-stringprep-codegenerator-1.1-150300.7.3.4 ongres-stringprep-javadoc-1.1-150300.7.3.4 ongres-stringprep-parent-1.1-150300.7.3.4 postgresql-jdbc-javadoc-42.2.25-150300.3.5.2 ongres-scram-2.1-150300.3.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure ongres-scram-client-2.1-150300.3.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure ongres-stringprep-1.1-150300.7.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure ongres-stringprep-saslprep-1.1-150300.7.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure postgresql-jdbc-42.2.25-150300.3.5.2 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure ongres-scram-2.1-150300.3.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM ongres-scram-client-2.1-150300.3.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM ongres-stringprep-1.1-150300.7.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM ongres-stringprep-saslprep-1.1-150300.7.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM postgresql-jdbc-42.2.25-150300.3.5.2 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM ongres-scram-2.1-150300.3.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE ongres-scram-client-2.1-150300.3.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE ongres-stringprep-1.1-150300.7.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE ongres-stringprep-saslprep-1.1-150300.7.3.4 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE postgresql-jdbc-42.2.25-150300.3.5.2 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE ongres-scram-2.1-150300.3.3.4 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 ongres-scram-client-2.1-150300.3.3.4 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 ongres-stringprep-1.1-150300.7.3.4 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 ongres-stringprep-saslprep-1.1-150300.7.3.4 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 postgresql-jdbc-42.2.25-150300.3.5.2 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 ongres-scram-2.1-150300.3.3.4 as a component of SUSE Manager Server Module 4.2 ongres-scram-client-2.1-150300.3.3.4 as a component of SUSE Manager Server Module 4.2 ongres-stringprep-1.1-150300.7.3.4 as a component of SUSE Manager Server Module 4.2 ongres-stringprep-saslprep-1.1-150300.7.3.4 as a component of SUSE Manager Server Module 4.2 postgresql-jdbc-42.2.25-150300.3.5.2 as a component of SUSE Manager Server Module 4.2 ongres-scram-2.1-150300.3.3.4 as a component of openSUSE Leap 15.3 ongres-scram-client-2.1-150300.3.3.4 as a component of openSUSE Leap 15.3 ongres-scram-javadoc-2.1-150300.3.3.4 as a component of openSUSE Leap 15.3 ongres-scram-parent-2.1-150300.3.3.4 as a component of openSUSE Leap 15.3 ongres-stringprep-1.1-150300.7.3.4 as a component of openSUSE Leap 15.3 ongres-stringprep-codegenerator-1.1-150300.7.3.4 as a component of openSUSE Leap 15.3 ongres-stringprep-javadoc-1.1-150300.7.3.4 as a component of openSUSE Leap 15.3 ongres-stringprep-parent-1.1-150300.7.3.4 as a component of openSUSE Leap 15.3 ongres-stringprep-saslprep-1.1-150300.7.3.4 as a component of openSUSE Leap 15.3 postgresql-jdbc-42.2.25-150300.3.5.2 as a component of openSUSE Leap 15.3 postgresql-jdbc-javadoc-42.2.25-150300.3.5.2 as a component of openSUSE Leap 15.3 In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties CVE-2022-26520 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ongres-scram-2.1-150300.3.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ongres-scram-client-2.1-150300.3.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ongres-stringprep-1.1-150300.7.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ongres-stringprep-saslprep-1.1-150300.7.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:postgresql-jdbc-42.2.25-150300.3.5.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ongres-scram-2.1-150300.3.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ongres-scram-client-2.1-150300.3.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ongres-stringprep-1.1-150300.7.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ongres-stringprep-saslprep-1.1-150300.7.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:postgresql-jdbc-42.2.25-150300.3.5.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ongres-scram-2.1-150300.3.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ongres-scram-client-2.1-150300.3.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ongres-stringprep-1.1-150300.7.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ongres-stringprep-saslprep-1.1-150300.7.3.4 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:postgresql-jdbc-42.2.25-150300.3.5.2 SUSE Linux Enterprise Module for Server Applications 15 SP3:ongres-scram-2.1-150300.3.3.4 SUSE Linux Enterprise Module for Server Applications 15 SP3:ongres-scram-client-2.1-150300.3.3.4 SUSE Linux Enterprise Module for Server Applications 15 SP3:ongres-stringprep-1.1-150300.7.3.4 SUSE Linux Enterprise Module for Server Applications 15 SP3:ongres-stringprep-saslprep-1.1-150300.7.3.4 SUSE Linux Enterprise Module for Server Applications 15 SP3:postgresql-jdbc-42.2.25-150300.3.5.2 SUSE Manager Server Module 4.2:ongres-scram-2.1-150300.3.3.4 SUSE Manager Server Module 4.2:ongres-scram-client-2.1-150300.3.3.4 SUSE Manager Server Module 4.2:ongres-stringprep-1.1-150300.7.3.4 SUSE Manager Server Module 4.2:ongres-stringprep-saslprep-1.1-150300.7.3.4 SUSE Manager Server Module 4.2:postgresql-jdbc-42.2.25-150300.3.5.2 openSUSE Leap 15.3:ongres-scram-2.1-150300.3.3.4 openSUSE Leap 15.3:ongres-scram-client-2.1-150300.3.3.4 openSUSE Leap 15.3:ongres-scram-javadoc-2.1-150300.3.3.4 openSUSE Leap 15.3:ongres-scram-parent-2.1-150300.3.3.4 openSUSE Leap 15.3:ongres-stringprep-1.1-150300.7.3.4 openSUSE Leap 15.3:ongres-stringprep-codegenerator-1.1-150300.7.3.4 openSUSE Leap 15.3:ongres-stringprep-javadoc-1.1-150300.7.3.4 openSUSE Leap 15.3:ongres-stringprep-parent-1.1-150300.7.3.4 openSUSE Leap 15.3:ongres-stringprep-saslprep-1.1-150300.7.3.4 openSUSE Leap 15.3:postgresql-jdbc-42.2.25-150300.3.5.2 openSUSE Leap 15.3:postgresql-jdbc-javadoc-42.2.25-150300.3.5.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2022-2794/suse-fu-20222794-1/ https://www.suse.com/security/cve/CVE-2022-26520.html CVE-2022-26520 https://bugzilla.suse.com/1197356 SUSE Bug 1197356