|
|
Log in / Subscribe / Register

SUSE alert SUSE-SU-2026:0197-1 (postgresql17, postgresql18)



From:
              SLE-SECURITY-UPDATES <null@suse.de>


To:
              sle-security-updates@lists.suse.com


Subject:
              SUSE-SU-2026:0197-1: important: Security update for postgresql17, postgresql18


Date:
              Wed, 21 Jan 2026 16:30:11 -0000


Message-ID:
              <176901301150.3075.4139191365500824446@smelt2.prg2.suse.org>




# Security update for postgresql17, postgresql18

Announcement ID: SUSE-SU-2026:0197-1  
Release Date: 2026-01-21T09:32:00Z  
Rating: important  
References:

  * bsc#1253332
  * bsc#1253333

  
Cross-References:

  * CVE-2025-12817
  * CVE-2025-12818

  
CVSS scores:

  * CVE-2025-12817 ( SUSE ):  5.3
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2025-12817 ( SUSE ):  4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  * CVE-2025-12817 ( NVD ):  3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-12818 ( SUSE ):  8.7
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-12818 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-12818 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 12 SP5
  * SUSE Linux Enterprise Server 12 SP5
  * SUSE Linux Enterprise Server 12 SP5 LTSS
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5

  
  
An update that solves two vulnerabilities can now be installed.

## Description:

This update for postgresql17, postgresql18 fixes the following issues:

Changes in postgresql18:

  * Fix build with uring for post SLE15 code streams.

Update to 18.1:

  * https://www.postgresql.org/about/news/p-3171/
  * https://www.postgresql.org/docs/release/18.1/
  * bsc#1253332, CVE-2025-12817: Missing check for CREATE privileges on the
    schema in CREATE STATISTICS allowed table owners to create statistics in any
    schema, potentially leading to unexpected naming conflicts.
  * bsc#1253333, CVE-2025-12818: Several places in libpq were not sufficiently
    careful about computing the required size of a memory allocation.
    Sufficiently large inputs could cause integer overflow, resulting in an
    undersized buffer, which would then lead to writing past the end of the
    buffer.

  * pg_config --libs returns -lnuma so we need to require it.

Update to 18.0:

  * https://www.postgresql.org/about/news/p-3142/
  * https://www.postgresql.org/docs/18/release-18.html

Changes in postgresql17:

Update to 17.7:

  * https://www.postgresql.org/about/news/p-3171/
  * https://www.postgresql.org/docs/release/17.7/
  * bsc#1253332, CVE-2025-12817: Missing check for CREATE privileges on the
    schema in CREATE STATISTICS allowed table owners to create statistics in any
    schema, potentially leading to unexpected naming conflicts.
  * bsc#1253333, CVE-2025-12818: Several places in libpq were not sufficiently
    careful about computing the required size of a memory allocation.
    Sufficiently large inputs could cause integer overflow, resulting in an
    undersized buffer, which would then lead to writing past the end of the
    buffer.

  * switch library to pg 18

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Server 12 SP5 LTSS  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2026-197=1

  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-197=1

## Package List:

  * SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
    * libpq5-debuginfo-18.1-8.3.4
    * libpq5-18.1-8.3.4
    * libecpg6-debuginfo-18.1-8.3.4
    * libecpg6-18.1-8.3.4
  * SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
    * postgresql-18-4.32.1
    * postgresql-server-18-4.32.1
    * postgresql-docs-18-4.32.1
    * postgresql-contrib-18-4.32.1
    * postgresql-pltcl-18-4.32.1
    * postgresql-server-devel-18-4.32.1
    * postgresql-plperl-18-4.32.1
    * postgresql-devel-18-4.32.1
    * postgresql-plpython-18-4.32.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS (s390x x86_64)
    * libecpg6-32bit-18.1-8.3.4
    * libecpg6-debuginfo-32bit-18.1-8.3.4
    * libpq5-32bit-18.1-8.3.4
    * libpq5-debuginfo-32bit-18.1-8.3.4
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
    * libecpg6-32bit-18.1-8.3.4
    * libpq5-32bit-18.1-8.3.4
    * libpq5-debuginfo-32bit-18.1-8.3.4
    * libpq5-18.1-8.3.4
    * libecpg6-18.1-8.3.4
    * libpq5-debuginfo-18.1-8.3.4
    * libecpg6-debuginfo-32bit-18.1-8.3.4
    * libecpg6-debuginfo-18.1-8.3.4
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
    * postgresql-18-4.32.1
    * postgresql-server-18-4.32.1
    * postgresql-docs-18-4.32.1
    * postgresql-contrib-18-4.32.1
    * postgresql-pltcl-18-4.32.1
    * postgresql-server-devel-18-4.32.1
    * postgresql-plperl-18-4.32.1
    * postgresql-devel-18-4.32.1
    * postgresql-plpython-18-4.32.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-12817.html
  * https://www.suse.com/security/cve/CVE-2025-12818.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1253332
  * https://bugzilla.suse.com/show_bug.cgi?id=1253333





Attachment: None (type=text/html)

(HTML attachment elided)
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds