|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-1597: postgresql-jdbc: SQL Injection | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Michael Calmer <mc> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | IN_PROGRESS --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Critical | ||
| Priority: | P3 - Medium | CC: | leilei.shen, thomas.leroy |
| Version: | unspecified | ||
| Target Milestone: | unspecified | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/394513/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-1597:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Michael Calmer
2024-02-29 10:07:05 UTC
(In reply to Michael Calmer from comment #0) > https://github.com/advisories/GHSA-24rp-q3w6-vc56 Thanks for the report Michael, reassigning Tracking all codestreams affected: - SUSE:SLE-11:Update - SUSE:SLE-12-SP1:Update - SUSE:SLE-15-SP3:Update - SUSE:SLE-15-SP4:Update SUSE:SLE-15-SP4:Update - MR 323069 SUSE:SLE-15-SP3:Update - MR 323070 SUSE:SLE-12-SP1:Update - MR 323071 This is an autogenerated message for OBS integration: This bug (1220644) was mentioned in https://build.opensuse.org/request/show/1153496 Factory / postgresql-jdbc Refer to the description of CVE >>>Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected. SUSE Manager Server 4.3 uses version 42.2.25. Is it not affected by this vulnerability? In our CVE page - https://www.suse.com/security/cve/CVE-2024-1597.html, it still shows as affected. Can anyone clarify this question? (In reply to Leilei Shen from comment #9) > Refer to the description of CVE > > >>>Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected. > > SUSE Manager Server 4.3 uses version 42.2.25. Is it not affected by this > vulnerability? In our CVE page - > https://www.suse.com/security/cve/CVE-2024-1597.html, it still shows as > affected. Can anyone clarify this question? The advisory says all versions below 42.2.28 are affected We do not do version updates. We apply patches. So the version stay, but the bug will be fixed. The submission just started. SUMA 4.3 uses SLE-15-SP4 which was submitted. When this gets released, also SUMA 4.3 will get this update. Thanks for the clarification.(In reply to Thomas Leroy from comment #10) > (In reply to Leilei Shen from comment #9) > > Refer to the description of CVE > > > > >>>Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected. > > > > SUSE Manager Server 4.3 uses version 42.2.25. Is it not affected by this > > vulnerability? In our CVE page - > > https://www.suse.com/security/cve/CVE-2024-1597.html, it still shows as > > affected. Can anyone clarify this question? > > The advisory says all versions below 42.2.28 are affected I got it from GitHub. But our CVE page still shows 42.2.8. Thanks for the clarification. SUSE-SU-2024:0773-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1220644 CVE References: CVE-2024-1597 Sources used: openSUSE Leap 15.4 (src): postgresql-jdbc-42.2.25-150400.3.12.1 openSUSE Leap 15.5 (src): postgresql-jdbc-42.2.25-150400.3.12.1 Server Applications Module 15-SP5 (src): postgresql-jdbc-42.2.25-150400.3.12.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): postgresql-jdbc-42.2.25-150400.3.12.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): postgresql-jdbc-42.2.25-150400.3.12.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): postgresql-jdbc-42.2.25-150400.3.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): postgresql-jdbc-42.2.25-150400.3.12.1 SUSE Manager Proxy 4.3 (src): postgresql-jdbc-42.2.25-150400.3.12.1 SUSE Manager Retail Branch Server 4.3 (src): postgresql-jdbc-42.2.25-150400.3.12.1 SUSE Manager Server 4.3 (src): postgresql-jdbc-42.2.25-150400.3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0771-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1220644 CVE References: CVE-2024-1597 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql-jdbc-9.4-3.12.1 SUSE Linux Enterprise Server 12 SP5 (src): postgresql-jdbc-9.4-3.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql-jdbc-9.4-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0769-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1220644 CVE References: CVE-2024-1597 Sources used: openSUSE Leap 15.3 (src): postgresql-jdbc-42.2.25-150300.3.14.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql-jdbc-42.2.25-150300.3.14.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql-jdbc-42.2.25-150300.3.14.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql-jdbc-42.2.25-150300.3.14.1 SUSE Enterprise Storage 7.1 (src): postgresql-jdbc-42.2.25-150300.3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |