SUSE alert SUSE-SU-2026:20587-1 (postgresql14)
| From: | SLE-SECURITY-UPDATES <null@suse.de> | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2026:20587-1: important: Security update for postgresql14 | |
| Date: | Thu, 05 Mar 2026 16:44:46 -0000 | |
| Message-ID: | <177272908650.1967.2327811515236227048@df8f6ab05d2e> |
# Security update for postgresql14 Announcement ID: SUSE-SU-2026:20587-1 Release Date: 2026-02-20T16:14:27Z Rating: important References: * bsc#1253332 * bsc#1253333 * bsc#1258008 * bsc#1258009 * bsc#1258010 * bsc#1258011 Cross-References: * CVE-2025-12817 * CVE-2025-12818 * CVE-2026-2003 * CVE-2026-2004 * CVE-2026-2005 * CVE-2026-2006 CVSS scores: * CVE-2025-12817 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2025-12817 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2025-12817 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2025-12818 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2025-12818 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2025-12818 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-2003 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-2003 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-2004 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-2004 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-2005 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-2005 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-2006 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-2006 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP Applications 16.0 An update that solves six vulnerabilities can now be installed. ## Description: This update for postgresql14 fixes the following issues: Update to version 14.21. Security issues fixed: * CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory (bsc#1258008). * CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code execution (bsc#1258009). * CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution (bsc#1258010). * CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution (bsc#1258011). * CVE-2025-12817: missing check for CREATE privileges on the schema in CREATE STATISTICS (bsc#1253332). * CVE-2025-12818: integer overflow in allocation-size calculations within libpq (bsc#1253333). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-307=1 * SUSE Linux Enterprise Server for SAP Applications 16.0 zypper in -t patch SUSE-SLES-16.0-307=1 ## Package List: * SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) * postgresql14-contrib-debuginfo-14.21-160000.1.1 * postgresql14-debuginfo-14.21-160000.1.1 * postgresql14-devel-debuginfo-14.21-160000.1.1 * postgresql14-plperl-debuginfo-14.21-160000.1.1 * postgresql14-pltcl-14.21-160000.1.1 * postgresql14-server-devel-debuginfo-14.21-160000.1.1 * postgresql14-server-debuginfo-14.21-160000.1.1 * postgresql14-server-devel-14.21-160000.1.1 * postgresql14-server-14.21-160000.1.1 * postgresql14-contrib-14.21-160000.1.1 * postgresql14-debugsource-14.21-160000.1.1 * postgresql14-14.21-160000.1.1 * postgresql14-pltcl-debuginfo-14.21-160000.1.1 * postgresql14-plpython-14.21-160000.1.1 * postgresql14-plperl-14.21-160000.1.1 * postgresql14-devel-14.21-160000.1.1 * postgresql14-plpython-debuginfo-14.21-160000.1.1 * SUSE Linux Enterprise Server 16.0 (noarch) * postgresql14-docs-14.21-160000.1.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64) * postgresql14-contrib-debuginfo-14.21-160000.1.1 * postgresql14-debuginfo-14.21-160000.1.1 * postgresql14-devel-debuginfo-14.21-160000.1.1 * postgresql14-plperl-debuginfo-14.21-160000.1.1 * postgresql14-pltcl-14.21-160000.1.1 * postgresql14-server-devel-debuginfo-14.21-160000.1.1 * postgresql14-server-debuginfo-14.21-160000.1.1 * postgresql14-server-devel-14.21-160000.1.1 * postgresql14-server-14.21-160000.1.1 * postgresql14-contrib-14.21-160000.1.1 * postgresql14-debugsource-14.21-160000.1.1 * postgresql14-14.21-160000.1.1 * postgresql14-pltcl-debuginfo-14.21-160000.1.1 * postgresql14-plpython-14.21-160000.1.1 * postgresql14-plperl-14.21-160000.1.1 * postgresql14-devel-14.21-160000.1.1 * postgresql14-plpython-debuginfo-14.21-160000.1.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch) * postgresql14-docs-14.21-160000.1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-12817.html * https://www.suse.com/security/cve/CVE-2025-12818.html * https://www.suse.com/security/cve/CVE-2026-2003.html * https://www.suse.com/security/cve/CVE-2026-2004.html * https://www.suse.com/security/cve/CVE-2026-2005.html * https://www.suse.com/security/cve/CVE-2026-2006.html * https://bugzilla.suse.com/show_bug.cgi?id=1253332 * https://bugzilla.suse.com/show_bug.cgi?id=1253333 * https://bugzilla.suse.com/show_bug.cgi?id=1258008 * https://bugzilla.suse.com/show_bug.cgi?id=1258009 * https://bugzilla.suse.com/show_bug.cgi?id=1258010 * https://bugzilla.suse.com/show_bug.cgi?id=1258011
Attachment: None (type=text/html)
(HTML attachment elided)