Feature update for ongres-scram, ongres-stringprep, postgresql-jdbc

Announcement ID: SUSE-FU-2022:2794-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2022-26520 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2022-26520 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • openSUSE Leap 15.3
  • Server Applications Module 15-SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise Real Time 15 SP3
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Manager Proxy 4.2
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Server 4.2
  • SUSE Manager Server 4.2 Module 4.2

An update that solves one vulnerability, contains one feature and has one fix can now be installed.

Description:

This feature update for ongres-scram, ongres-stringprep, postgresql-jdbc provides:

ongres-scram:

  • Upgrade from version 1.0.0-beta.2 to version 2.1. (jsc#SLE-23994)
  • Add standard SASLPrep (bsc#1196693, jsc#SLE-23994)
  • Failover to bouncy castle implementation of PBKDF2WithHmacSHA256 to support Oracle JDK 7
  • Updated saslprep to version 1.1 to remove a build dependency coming from the stringprep module

ongres-stringprep:

  • Introduce ongres-stringprep 1.1 as dependency of ongres-scram. (bsc#1196693, jsc#SLE-23994)

postgresql-jdbc:

  • CVE-2022-26520: Fixed arbitrary File Write Vulnerability (bsc#1197356)
  • Upgrade postgresql-jdbc from version 42.2.16 to version 42.2.25 (jsc#SLE-23994)
  • Use SASLprep normalization for SCRAM authentication and fixes issues with spaces in passwords. (bsc#1196693)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.3
    zypper in -t patch SUSE-2022-2794=1
  • Server Applications Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-2794=1
  • SUSE Manager Server 4.2 Module 4.2
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-2794=1

Package List:

  • openSUSE Leap 15.3 (noarch)
    • ongres-stringprep-saslprep-1.1-150300.7.3.4
    • ongres-stringprep-javadoc-1.1-150300.7.3.4
    • ongres-stringprep-parent-1.1-150300.7.3.4
    • ongres-stringprep-codegenerator-1.1-150300.7.3.4
    • postgresql-jdbc-42.2.25-150300.3.5.2
    • ongres-scram-2.1-150300.3.3.4
    • ongres-scram-parent-2.1-150300.3.3.4
    • ongres-scram-client-2.1-150300.3.3.4
    • ongres-stringprep-1.1-150300.7.3.4
    • ongres-scram-javadoc-2.1-150300.3.3.4
    • postgresql-jdbc-javadoc-42.2.25-150300.3.5.2
  • Server Applications Module 15-SP3 (noarch)
    • ongres-stringprep-saslprep-1.1-150300.7.3.4
    • postgresql-jdbc-42.2.25-150300.3.5.2
    • ongres-scram-2.1-150300.3.3.4
    • ongres-scram-client-2.1-150300.3.3.4
    • ongres-stringprep-1.1-150300.7.3.4
  • SUSE Manager Server 4.2 Module 4.2 (noarch)
    • ongres-stringprep-saslprep-1.1-150300.7.3.4
    • postgresql-jdbc-42.2.25-150300.3.5.2
    • ongres-scram-2.1-150300.3.3.4
    • ongres-scram-client-2.1-150300.3.3.4
    • ongres-stringprep-1.1-150300.7.3.4

References: