SUSE alert SUSE-SU-2026:2117-1 (postgresql14)
| From: | OPENSUSE-SECURITY-UPDATES <null@suse.de> | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | SUSE-SU-2026:2117-1: important: Security update for postgresql14 | |
| Date: | Fri, 29 May 2026 20:37:48 -0000 | |
| Message-ID: | <178008706855.435.6554523346163550435@cf67f1158b88> | |
| Archive-link: | Article |
# Security update for postgresql14 Announcement ID: SUSE-SU-2026:2117-1 Release Date: 2026-05-29T15:30:06Z Rating: important References: * bsc#1263804 * bsc#1265172 * bsc#1265173 * bsc#1265174 * bsc#1265175 * bsc#1265177 * bsc#1265178 * bsc#1265179 * bsc#1265181 * jsc#PED-14823 Cross-References: * CVE-2026-6472 * CVE-2026-6473 * CVE-2026-6474 * CVE-2026-6475 * CVE-2026-6477 * CVE-2026-6478 * CVE-2026-6479 * CVE-2026-6637 CVSS scores: * CVE-2026-6472 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-6472 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-6473 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6473 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6474 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-6474 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-6475 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-6475 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-6477 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-6477 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-6478 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-6478 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-6479 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-6479 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-6637 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6637 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * Legacy Module 15-SP7 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves eight vulnerabilities, contains one feature and has one security fix can now be installed. ## Description: This update for postgresql14 fixes the following issues Update to version 14.23. Security issues: * CVE-2026-6472: ensure the user has CREATE privilege on the schema specified (bsc#1265172). * CVE-2026-6473: integer overflows in memory-allocation calculations (bsc#1265173). * CVE-2026-6474: Guard against malicious time zone names (bsc#1265174). * CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind (bsc#1265175). * CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq (bsc#1265177). * CVE-2026-6478: Use timing-safe string comparisons in authentication code (bsc#1265178). * CVE-2026-6479: Prevent unbounded recursion while processing startup packets (bsc#1265179). * CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi (bsc#1265181). Non security issue: \- Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support immutable systems and transactional updates (jsc#PED-14823). \- /usr/bin/pg_config is missing after migrating away from update-alternatives (bsc#1263804). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch SUSE-2026-2117=1 * Legacy Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Legacy-15-SP7-2026-2117=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2117=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2117=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2117=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586) * postgresql14-llvmjit-devel-14.23-150600.16.31.1 * postgresql14-debuginfo-14.23-150600.16.31.1 * postgresql14-pltcl-14.23-150600.16.31.1 * postgresql14-contrib-debuginfo-14.23-150600.16.31.1 * postgresql14-contrib-14.23-150600.16.31.1 * postgresql14-server-devel-14.23-150600.16.31.1 * postgresql14-llvmjit-debuginfo-14.23-150600.16.31.1 * postgresql14-debugsource-14.23-150600.16.31.1 * postgresql14-plperl-debuginfo-14.23-150600.16.31.1 * postgresql14-14.23-150600.16.31.1 * postgresql14-test-14.23-150600.16.31.1 * postgresql14-server-debuginfo-14.23-150600.16.31.1 * postgresql14-plpython-14.23-150600.16.31.1 * postgresql14-pltcl-debuginfo-14.23-150600.16.31.1 * postgresql14-plperl-14.23-150600.16.31.1 * postgresql14-server-14.23-150600.16.31.1 * postgresql14-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-devel-14.23-150600.16.31.1 * postgresql14-plpython-debuginfo-14.23-150600.16.31.1 * postgresql14-server-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-llvmjit-14.23-150600.16.31.1 * openSUSE Leap 15.6 (noarch) * postgresql14-docs-14.23-150600.16.31.1 * Legacy Module 15-SP7 (aarch64 ppc64le s390x x86_64) * postgresql14-14.23-150600.16.31.1 * postgresql14-debuginfo-14.23-150600.16.31.1 * postgresql14-server-14.23-150600.16.31.1 * postgresql14-server-debuginfo-14.23-150600.16.31.1 * postgresql14-server-devel-14.23-150600.16.31.1 * postgresql14-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-plpython-14.23-150600.16.31.1 * postgresql14-pltcl-debuginfo-14.23-150600.16.31.1 * postgresql14-plperl-14.23-150600.16.31.1 * postgresql14-server-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-debugsource-14.23-150600.16.31.1 * postgresql14-devel-14.23-150600.16.31.1 * postgresql14-pltcl-14.23-150600.16.31.1 * postgresql14-contrib-debuginfo-14.23-150600.16.31.1 * postgresql14-plpython-debuginfo-14.23-150600.16.31.1 * postgresql14-plperl-debuginfo-14.23-150600.16.31.1 * postgresql14-contrib-14.23-150600.16.31.1 * Legacy Module 15-SP7 (noarch) * postgresql14-docs-14.23-150600.16.31.1 * Legacy Module 15-SP7 (ppc64le s390x x86_64) * postgresql14-test-14.23-150600.16.31.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * postgresql14-test-14.23-150600.16.31.1 * postgresql14-debuginfo-14.23-150600.16.31.1 * postgresql14-llvmjit-debuginfo-14.23-150600.16.31.1 * postgresql14-debugsource-14.23-150600.16.31.1 * postgresql14-llvmjit-14.23-150600.16.31.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * postgresql14-14.23-150600.16.31.1 * postgresql14-debuginfo-14.23-150600.16.31.1 * postgresql14-server-14.23-150600.16.31.1 * postgresql14-server-debuginfo-14.23-150600.16.31.1 * postgresql14-server-devel-14.23-150600.16.31.1 * postgresql14-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-plpython-14.23-150600.16.31.1 * postgresql14-pltcl-debuginfo-14.23-150600.16.31.1 * postgresql14-plperl-14.23-150600.16.31.1 * postgresql14-server-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-plperl-debuginfo-14.23-150600.16.31.1 * postgresql14-debugsource-14.23-150600.16.31.1 * postgresql14-devel-14.23-150600.16.31.1 * postgresql14-pltcl-14.23-150600.16.31.1 * postgresql14-plpython-debuginfo-14.23-150600.16.31.1 * postgresql14-contrib-debuginfo-14.23-150600.16.31.1 * postgresql14-contrib-14.23-150600.16.31.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (noarch) * postgresql14-docs-14.23-150600.16.31.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * postgresql14-14.23-150600.16.31.1 * postgresql14-debuginfo-14.23-150600.16.31.1 * postgresql14-server-14.23-150600.16.31.1 * postgresql14-server-debuginfo-14.23-150600.16.31.1 * postgresql14-server-devel-14.23-150600.16.31.1 * postgresql14-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-plpython-14.23-150600.16.31.1 * postgresql14-pltcl-debuginfo-14.23-150600.16.31.1 * postgresql14-plperl-14.23-150600.16.31.1 * postgresql14-server-devel-debuginfo-14.23-150600.16.31.1 * postgresql14-plperl-debuginfo-14.23-150600.16.31.1 * postgresql14-debugsource-14.23-150600.16.31.1 * postgresql14-devel-14.23-150600.16.31.1 * postgresql14-pltcl-14.23-150600.16.31.1 * postgresql14-plpython-debuginfo-14.23-150600.16.31.1 * postgresql14-contrib-debuginfo-14.23-150600.16.31.1 * postgresql14-contrib-14.23-150600.16.31.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch) * postgresql14-docs-14.23-150600.16.31.1 ## References: * https://www.suse.com/security/cve/CVE-2026-6472.html * https://www.suse.com/security/cve/CVE-2026-6473.html * https://www.suse.com/security/cve/CVE-2026-6474.html * https://www.suse.com/security/cve/CVE-2026-6475.html * https://www.suse.com/security/cve/CVE-2026-6477.html * https://www.suse.com/security/cve/CVE-2026-6478.html * https://www.suse.com/security/cve/CVE-2026-6479.html * https://www.suse.com/security/cve/CVE-2026-6637.html * https://bugzilla.suse.com/show_bug.cgi?id=1263804 * https://bugzilla.suse.com/show_bug.cgi?id=1265172 * https://bugzilla.suse.com/show_bug.cgi?id=1265173 * https://bugzilla.suse.com/show_bug.cgi?id=1265174 * https://bugzilla.suse.com/show_bug.cgi?id=1265175 * https://bugzilla.suse.com/show_bug.cgi?id=1265177 * https://bugzilla.suse.com/show_bug.cgi?id=1265178 * https://bugzilla.suse.com/show_bug.cgi?id=1265179 * https://bugzilla.suse.com/show_bug.cgi?id=1265181 * https://jira.suse.com/browse/PED-14823
Attachment: None (type=text/html)
(HTML attachment elided)