Bugzilla – Bug 993454
VUL-0: CVE-2016-5423: postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
Last modified: 2018-11-07 16:28:47 UTC
rh#1364001 It was discovered that certain SQL statements containing CASE/WHEN commands could crash the PostgreSQL server, or disclose a few bytes of server memory, potentially leading to arbitrary code execution. References: https://bugzilla.redhat.com/show_bug.cgi?id=1364001 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5423 http://www.debian.org/security/2016/dsa-3646
Upstream patch https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=f0c7b789ab12fbc8248b671c7882dd96ac932ef4
Affected versions: 9.5, 9.4, 9.3, 9.2, 9.1 Upstream fixed in: 9.5.4, 9.4.9, 9.3.14, 9.2.18, 9.1.23
Packages were submitted to 13.2, SLE11-SP1 and SLE12 by Fabian Weiss, but for some reason the automatism that normally posts them here does not work.
SUSE-SU-2016:2414-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 973660,993453,993454 CVE References: CVE-2016-5423,CVE-2016-5424 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): postgresql93-9.3.14-19.2 SUSE Linux Enterprise Server 12-LTSS (src): postgresql93-9.3.14-19.2
SUSE-SU-2016:2415-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 973660,993453,993454 CVE References: CVE-2016-5423,CVE-2016-5424 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): postgresql94-libs-9.4.9-14.1 SUSE Linux Enterprise Server 12-SP1 (src): postgresql94-9.4.9-14.1, postgresql94-libs-9.4.9-14.1 SUSE Linux Enterprise Desktop 12-SP1 (src): postgresql94-9.4.9-14.1, postgresql94-libs-9.4.9-14.1
SUSE-SU-2016:2418-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 993453,993454 CVE References: CVE-2016-5423,CVE-2016-5424 Sources used: SUSE Manager 2.1 (src): postgresql94-9.4.9-0.19.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): postgresql94-libs-9.4.9-0.19.1 SUSE Linux Enterprise Server 11-SP4 (src): postgresql94-9.4.9-0.19.1, postgresql94-libs-9.4.9-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): postgresql94-9.4.9-0.19.1, postgresql94-libs-9.4.9-0.19.1
openSUSE-SU-2016:2425-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 993453,993454 CVE References: CVE-2016-5423,CVE-2016-5424 Sources used: openSUSE 13.2 (src): postgresql93-9.3.14-2.13.1, postgresql93-libs-9.3.14-2.13.1
openSUSE-SU-2016:2464-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 973660,993453,993454 CVE References: CVE-2016-5423,CVE-2016-5424 Sources used: openSUSE Leap 42.1 (src): postgresql94-9.4.9-7.1, postgresql94-libs-9.4.9-7.1
openSUSE-SU-2017:1021-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1029547,973660,993453,993454 CVE References: CVE-2016-5423,CVE-2016-5424 Sources used: openSUSE Leap 42.2 (src): postgresql93-9.3.14-5.5.1, postgresql93-libs-9.3.14-5.5.1 openSUSE Leap 42.1 (src): postgresql93-9.3.14-8.1, postgresql93-libs-9.3.14-8.1
This is an autogenerated message for OBS integration: This bug (993454) was mentioned in https://build.opensuse.org/request/show/516114 Factory / postgresql93