Security update for postgresql14 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4371-1 Final 1 1 2025-12-11T19:04:45Z current 2025-12-11T19:04:45Z 2025-12-11T19:04:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql14 This update for postgresql14 fixes the following issues: Upgraded to 14.20: - CVE-2025-12817: Fixed missing check for CREATE privileges on the schema in CREATE STATISTICS (bsc#1253332) - CVE-2025-12818: Fixed integer overflow in allocation-size calculations within libpq (bsc#1253333) Other fixes: - Use %product_libs_llvm_ver to determine the LLVM version. - Remove conditionals for obsolete PostgreSQL releases. - Sync spec file from version 18. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-4371,SUSE-SLE-Module-Legacy-15-SP6-2025-4371,SUSE-SLE-Module-Legacy-15-SP7-2025-4371,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4371,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4371,openSUSE-SLE-15.6-2025-4371 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254371-1/ Link for SUSE-SU-2025:4371-1 https://lists.suse.com/pipermail/sle-security-updates/2025-December/023525.html E-Mail link for SUSE-SU-2025:4371-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1253332 SUSE Bug 1253332 https://bugzilla.suse.com/1253333 SUSE Bug 1253333 https://www.suse.com/security/cve/CVE-2025-12817/ SUSE CVE CVE-2025-12817 page https://www.suse.com/security/cve/CVE-2025-12818/ SUSE CVE CVE-2025-12818 page SUSE Linux Enterprise Module for Legacy 15 SP6 SUSE Linux Enterprise Module for Legacy 15 SP7 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 openSUSE Leap 15.6 postgresql14-14.20-150600.16.23.1 postgresql14-contrib-14.20-150600.16.23.1 postgresql14-devel-14.20-150600.16.23.1 postgresql14-docs-14.20-150600.16.23.1 postgresql14-llvmjit-14.20-150600.16.23.1 postgresql14-llvmjit-devel-14.20-150600.16.23.1 postgresql14-plperl-14.20-150600.16.23.1 postgresql14-plpython-14.20-150600.16.23.1 postgresql14-pltcl-14.20-150600.16.23.1 postgresql14-server-14.20-150600.16.23.1 postgresql14-server-devel-14.20-150600.16.23.1 postgresql14-test-14.20-150600.16.23.1 postgresql14-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-contrib-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-devel-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-docs-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-plperl-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-plpython-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-pltcl-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-server-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-server-devel-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP6 postgresql14-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-contrib-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-devel-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-docs-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-plperl-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-plpython-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-pltcl-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-server-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-server-devel-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-test-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Legacy 15 SP7 postgresql14-llvmjit-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 postgresql14-test-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 postgresql14-llvmjit-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 postgresql14-test-14.20-150600.16.23.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 postgresql14-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-contrib-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-devel-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-docs-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-llvmjit-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-llvmjit-devel-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-plperl-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-plpython-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-pltcl-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-server-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-server-devel-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 postgresql14-test-14.20-150600.16.23.1 as a component of openSUSE Leap 15.6 Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. CVE-2025-12817 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-contrib-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-docs-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-plperl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-plpython-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-pltcl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-server-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-server-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-contrib-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-docs-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-plperl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-plpython-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-pltcl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-server-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-server-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-test-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:postgresql14-llvmjit-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:postgresql14-test-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:postgresql14-llvmjit-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:postgresql14-test-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-contrib-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-devel-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-docs-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-llvmjit-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-llvmjit-devel-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-plperl-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-plpython-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-pltcl-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-server-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-server-devel-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-test-14.20-150600.16.23.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254371-1/ https://www.suse.com/security/cve/CVE-2025-12817.html CVE-2025-12817 https://bugzilla.suse.com/1253332 SUSE Bug 1253332 Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. CVE-2025-12818 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-contrib-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-docs-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-plperl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-plpython-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-pltcl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-server-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP6:postgresql14-server-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-contrib-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-docs-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-plperl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-plpython-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-pltcl-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-server-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-server-devel-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Legacy 15 SP7:postgresql14-test-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:postgresql14-llvmjit-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:postgresql14-test-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:postgresql14-llvmjit-14.20-150600.16.23.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:postgresql14-test-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-contrib-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-devel-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-docs-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-llvmjit-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-llvmjit-devel-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-plperl-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-plpython-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-pltcl-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-server-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-server-devel-14.20-150600.16.23.1 openSUSE Leap 15.6:postgresql14-test-14.20-150600.16.23.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254371-1/ https://www.suse.com/security/cve/CVE-2025-12818.html CVE-2025-12818 https://bugzilla.suse.com/1253333 SUSE Bug 1253333