First Last Prev Next    This bug is not in your last search results.
Bug 1067844 - (CVE-2017-15098) VUL-0: CVE-2017-15098: postgresql94,postgresql96: Memory disclosure in JSON functions
(CVE-2017-15098)
VUL-0: CVE-2017-15098: postgresql94,postgresql96: Memory disclosure in JSON f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/194755/
CVSSv3:RedHat:CVE-2017-15098:7.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-13 11:03 UTC by Marcus Meissner
Modified: 2018-11-07 16:25 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-11-13 11:03:44 UTC 
CVE-2017-15098



Invalid json_populate_recordset() or jsonb_populate_recordset() calls crash
the server or disclose a few bytes of server memory. We have not ruled out
viability of attacks that arrange for presence of confidential information in
disclosed bytes, but they seem unlikely.

Vulnerable Versions: 9.3 - 10

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15098
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15098.html
http://www.debian.org/security/2017/dsa-4027
http://www.debian.org/security/2017/dsa-4028
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098
Comment 1 Bernhard Wiedemann 2017-12-06 10:10:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1067844) was mentioned in
https://build.opensuse.org/request/show/554740 Factory / postgresql96
Comment 3 Swamp Workflow Management 2017-12-21 11:09:47 UTC 
SUSE-SU-2017:3391-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1067841,1067844
CVE References: CVE-2017-15098,CVE-2017-15099
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    postgresql96-libs-9.6.6-3.10.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    postgresql96-libs-9.6.6-3.10.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    postgresql96-9.6.6-3.10.1, postgresql96-libs-9.6.6-3.10.1
SUSE Linux Enterprise Server 12-SP3 (src):    postgresql96-9.6.6-3.10.1, postgresql96-libs-9.6.6-3.10.1
SUSE Linux Enterprise Server 12-SP2 (src):    postgresql96-9.6.6-3.10.1, postgresql96-libs-9.6.6-3.10.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    postgresql96-9.6.6-3.10.1, postgresql96-libs-9.6.6-3.10.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    postgresql96-9.6.6-3.10.1, postgresql96-libs-9.6.6-3.10.1
Comment 4 Swamp Workflow Management 2017-12-22 20:18:00 UTC 
openSUSE-SU-2017:3425-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1067841,1067844
CVE References: CVE-2017-15098,CVE-2017-15099
Sources used:
openSUSE Leap 42.3 (src):    postgresql96-9.6.6-9.1, postgresql96-libs-9.6.6-9.1
openSUSE Leap 42.2 (src):    postgresql96-9.6.6-8.1, postgresql96-libs-9.6.6-8.1
Comment 5 Swamp Workflow Management 2018-01-12 17:09:31 UTC 
SUSE-SU-2018:0077-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1062538,1067844
CVE References: CVE-2017-12172,CVE-2017-15098
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.15-0.23.10.1
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.15-0.23.10.1, postgresql94-libs-9.4.15-0.23.10.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.15-0.23.10.1, postgresql94-libs-9.4.15-0.23.10.1
Comment 6 Swamp Workflow Management 2018-01-12 20:12:37 UTC 
SUSE-SU-2018:0081-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1062538,1067844
CVE References: CVE-2017-12172,CVE-2017-15098
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    postgresql94-libs-9.4.15-21.13.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    postgresql94-9.4.15-21.13.1
SUSE Linux Enterprise Server 12-SP2 (src):    postgresql94-9.4.15-21.13.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    postgresql94-9.4.15-21.13.1
Comment 7 Marcus Meissner 2018-01-15 10:47:36 UTC 
released
Comment 8 Swamp Workflow Management 2018-01-15 14:15:14 UTC 
openSUSE-SU-2018:0095-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1062538,1067844
CVE References: CVE-2017-12172,CVE-2017-15098
Sources used:
openSUSE Leap 42.3 (src):    postgresql94-9.4.15-15.1, postgresql94-libs-9.4.15-15.1
openSUSE Leap 42.2 (src):    postgresql94-9.4.15-9.12.1, postgresql94-libs-9.4.15-9.12.1
Comment 9 Swamp Workflow Management 2018-02-09 13:40:15 UTC 
This is an autogenerated message for OBS integration:
This bug (1067844) was mentioned in
https://build.opensuse.org/request/show/574648 Factory / postgresql93
https://build.opensuse.org/request/show/574649 Factory / postgresql94
https://build.opensuse.org/request/show/574651 Factory / postgresql95
Comment 10 Swamp Workflow Management 2018-02-21 13:40:27 UTC 
This is an autogenerated message for OBS integration:
This bug (1067844) was mentioned in
https://build.opensuse.org/request/show/578690 42.3 / postgresql95
Comment 11 Swamp Workflow Management 2018-02-22 23:09:12 UTC 
openSUSE-SU-2018:0529-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259,1067841,1067844,1077983,1079757
CVE References: CVE-2017-15098,CVE-2017-15099,CVE-2017-7546,CVE-2017-7547,CVE-2017-7548,CVE-2018-1053
Sources used:
openSUSE Leap 42.3 (src):    postgresql95-9.5.11-2.3.1, postgresql95-libs-9.5.11-2.3.1
First Last Prev Next    This bug is not in your last search results.