SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3159

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3159

Security update for postgresql16

Type: security

Severity: important

Issued: 2024-10-24

Description:

This update for postgresql16 fixes the following issues:

- Upgrade to 16.4 (bsc#1229013)
- CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013)
- CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See the release notes for the steps that have to be taken to fix existing PostgreSQL instances. (bsc#1224038)

References

CVE: CVE-2024-7348
CVE: CVE-2024-4317
Bugzilla: 1229013 VUL-0: CVE-2024-7348: postgresql: time-of-check time-of-use (TOCTOU) race condition in pg_dump allows an object creator to execute arbitrary SQL functions as the user running pg_dump
Bugzilla: 1224051 PostgreSQL bugfix releases May 2024
Bugzilla: 1224038 VUL-0: CVE-2024-4317: postgresql14,postgresql15,postgresql16: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner

Packages

postgresql16-16.4-150600.16.5.1