| Summary: | postgresql new security issues fixed upstream in 9.0.19, 9.1.15, 9.2.10, and 9.3.6 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | cjw, oe, olchal, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/632253/ | ||
| Whiteboard: | has_procedure advisory mga4-64-ok MGA4-32-OK | ||
| Source RPM: | postgresql | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-02-06 18:29:25 CET
David Walser
2015-02-06 18:29:39 CET
CC:
(none) =>
cjw
David Walser
2015-02-06 18:30:00 CET
Blocks:
(none) =>
14674 Fixed in cauldron for postgresql9.1 postgresql9.2 postgresql9.3 postgresql9.4 Fixed in mga4 for postgresql9.0 postgresql9.1 postgresql9.2 postgresql9.3 Packages for cauldron needs someone to submit them. Cheers. CC:
(none) =>
oe Updated packages are ready for testing. MGA4 SRPMs: postgresql9.0-9.0.19-1.mga4.src.rpm postgresql9.1-9.1.15-1.mga4.src.rpm postgresql9.2-9.2.10-1.mga4.src.rpm postgresql9.3-9.3.6-1.mga4.src.rpm RPMS: postgresql9.0-9.0.19-1.mga4.i586.rpm libpq9.0_5.3-9.0.19-1.mga4.i586.rpm libecpg9.0_6-9.0.19-1.mga4.i586.rpm postgresql9.0-server-9.0.19-1.mga4.i586.rpm postgresql9.0-docs-9.0.19-1.mga4.noarch.rpm postgresql9.0-contrib-9.0.19-1.mga4.i586.rpm postgresql9.0-devel-9.0.19-1.mga4.i586.rpm postgresql9.0-pl-9.0.19-1.mga4.i586.rpm postgresql9.0-plpython-9.0.19-1.mga4.i586.rpm postgresql9.0-plperl-9.0.19-1.mga4.i586.rpm postgresql9.0-pltcl-9.0.19-1.mga4.i586.rpm postgresql9.0-plpgsql-9.0.19-1.mga4.i586.rpm postgresql9.1-9.1.15-1.mga4.i586.rpm libpq9.1_5.4-9.1.15-1.mga4.i586.rpm libecpg9.1_6-9.1.15-1.mga4.i586.rpm postgresql9.1-server-9.1.15-1.mga4.i586.rpm postgresql9.1-docs-9.1.15-1.mga4.noarch.rpm postgresql9.1-contrib-9.1.15-1.mga4.i586.rpm postgresql9.1-devel-9.1.15-1.mga4.i586.rpm postgresql9.1-pl-9.1.15-1.mga4.i586.rpm postgresql9.1-plpython-9.1.15-1.mga4.i586.rpm postgresql9.1-plperl-9.1.15-1.mga4.i586.rpm postgresql9.1-pltcl-9.1.15-1.mga4.i586.rpm postgresql9.1-plpgsql-9.1.15-1.mga4.i586.rpm postgresql9.2-9.2.10-1.mga4.i586.rpm libpq9.2_5.5-9.2.10-1.mga4.i586.rpm libecpg9.2_6-9.2.10-1.mga4.i586.rpm postgresql9.2-server-9.2.10-1.mga4.i586.rpm postgresql9.2-docs-9.2.10-1.mga4.noarch.rpm postgresql9.2-contrib-9.2.10-1.mga4.i586.rpm postgresql9.2-devel-9.2.10-1.mga4.i586.rpm postgresql9.2-pl-9.2.10-1.mga4.i586.rpm postgresql9.2-plpython-9.2.10-1.mga4.i586.rpm postgresql9.2-plperl-9.2.10-1.mga4.i586.rpm postgresql9.2-pltcl-9.2.10-1.mga4.i586.rpm postgresql9.2-plpgsql-9.2.10-1.mga4.i586.rpm postgresql9.3-9.3.6-1.mga4.i586.rpm libpq9.3_5-9.3.6-1.mga4.i586.rpm libecpg9.3_6-9.3.6-1.mga4.i586.rpm postgresql9.3-server-9.3.6-1.mga4.i586.rpm postgresql9.3-docs-9.3.6-1.mga4.noarch.rpm postgresql9.3-contrib-9.3.6-1.mga4.i586.rpm postgresql9.3-devel-9.3.6-1.mga4.i586.rpm postgresql9.3-pl-9.3.6-1.mga4.i586.rpm postgresql9.3-plpython-9.3.6-1.mga4.i586.rpm postgresql9.3-plperl-9.3.6-1.mga4.i586.rpm postgresql9.3-pltcl-9.3.6-1.mga4.i586.rpm postgresql9.3-plpgsql-9.3.6-1.mga4.i586.rpm postgresql9.0-9.0.19-1.mga4.x86_64.rpm lib64pq9.0_5.3-9.0.19-1.mga4.x86_64.rpm lib64ecpg9.0_6-9.0.19-1.mga4.x86_64.rpm postgresql9.0-server-9.0.19-1.mga4.x86_64.rpm postgresql9.0-docs-9.0.19-1.mga4.noarch.rpm postgresql9.0-contrib-9.0.19-1.mga4.x86_64.rpm postgresql9.0-devel-9.0.19-1.mga4.x86_64.rpm postgresql9.0-pl-9.0.19-1.mga4.x86_64.rpm postgresql9.0-plpython-9.0.19-1.mga4.x86_64.rpm postgresql9.0-plperl-9.0.19-1.mga4.x86_64.rpm postgresql9.0-pltcl-9.0.19-1.mga4.x86_64.rpm postgresql9.0-plpgsql-9.0.19-1.mga4.x86_64.rpm postgresql9.1-9.1.15-1.mga4.x86_64.rpm lib64pq9.1_5.4-9.1.15-1.mga4.x86_64.rpm lib64ecpg9.1_6-9.1.15-1.mga4.x86_64.rpm postgresql9.1-server-9.1.15-1.mga4.x86_64.rpm postgresql9.1-docs-9.1.15-1.mga4.noarch.rpm postgresql9.1-contrib-9.1.15-1.mga4.x86_64.rpm postgresql9.1-devel-9.1.15-1.mga4.x86_64.rpm postgresql9.1-pl-9.1.15-1.mga4.x86_64.rpm postgresql9.1-plpython-9.1.15-1.mga4.x86_64.rpm postgresql9.1-plperl-9.1.15-1.mga4.x86_64.rpm postgresql9.1-pltcl-9.1.15-1.mga4.x86_64.rpm postgresql9.1-plpgsql-9.1.15-1.mga4.x86_64.rpm postgresql9.2-9.2.10-1.mga4.x86_64.rpm lib64pq9.2_5.5-9.2.10-1.mga4.x86_64.rpm lib64ecpg9.2_6-9.2.10-1.mga4.x86_64.rpm postgresql9.2-server-9.2.10-1.mga4.x86_64.rpm postgresql9.2-docs-9.2.10-1.mga4.noarch.rpm postgresql9.2-contrib-9.2.10-1.mga4.x86_64.rpm postgresql9.2-devel-9.2.10-1.mga4.x86_64.rpm postgresql9.2-pl-9.2.10-1.mga4.x86_64.rpm postgresql9.2-plpython-9.2.10-1.mga4.x86_64.rpm postgresql9.2-plperl-9.2.10-1.mga4.x86_64.rpm postgresql9.2-pltcl-9.2.10-1.mga4.x86_64.rpm postgresql9.2-plpgsql-9.2.10-1.mga4.x86_64.rpm postgresql9.3-9.3.6-1.mga4.x86_64.rpm lib64pq9.3_5-9.3.6-1.mga4.x86_64.rpm lib64ecpg9.3_6-9.3.6-1.mga4.x86_64.rpm postgresql9.3-server-9.3.6-1.mga4.x86_64.rpm postgresql9.3-docs-9.3.6-1.mga4.noarch.rpm postgresql9.3-contrib-9.3.6-1.mga4.x86_64.rpm postgresql9.3-devel-9.3.6-1.mga4.x86_64.rpm postgresql9.3-pl-9.3.6-1.mga4.x86_64.rpm postgresql9.3-plpython-9.3.6-1.mga4.x86_64.rpm postgresql9.3-plperl-9.3.6-1.mga4.x86_64.rpm postgresql9.3-pltcl-9.3.6-1.mga4.x86_64.rpm postgresql9.3-plpgsql-9.3.6-1.mga4.x86_64.rpm Proposed advisory: Updated PostgreSQL packages fix security issues: Buffer overruns in "to_char" functions. (CVE-2015-0241) Buffer overrun in replacement printf family of functions. (CVE-2015-0242 ) Memory errors in functions in the pgcrypto extension. (CVE-2015-0243) An error in extended protocol message reading. (CVE-2015-0244) Constraint violation errors can cause display of values in columns which the user would not normally have rights to see. (CVE-2014-8161) References: http://www.postgresql.org/about/news/1569/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161 Assignee:
bugsquad =>
qa-bugs Simple test procecure in https://bugs.mageia.org/show_bug.cgi?id=2843#c8 basically for each postgresql version (9.0, 9.1, 9.2, 9.3): install -server and -contrib packages, su to postgres user (from a root shell), then run pgbench -i followed by pgbench . Thanks Christiaan and Oden. Freeze push for Cauldron still pending. The Debian advisory is slightly more informative. Debian also says that CVE-2015-0242 only affects Windows. Advisory: ======================== Updated postgresql packages fix security vulnerabilities: A user with limited clearance on a table might have access to information in columns without SELECT rights on through server error messages (CVE-2014-8161). The function to_char() might read/write past the end of a buffer. This might crash the server when a formatting template is processed (CVE-2015-0241). The pgcrypto module is vulnerable to stack buffer overrun that might crash the server (CVE-2015-0243). Emil Lenngren reported that an attacker can inject SQL commands when the synchronization between client and server is lost (CVE-2015-0244). This update provides PostgreSQL versions 9.3.6, 9.2.10, 9.1.15, and 9.0.19 that fix these issues, as well as several others. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161 http://www.postgresql.org/about/news/1569/ https://www.debian.org/security/2015/dsa-3155 Version:
Cauldron =>
4
David Walser
2015-02-07 19:41:07 CET
Whiteboard:
(none) =>
has_procedure postgresql9.0 postgresql9.1 postgresql9.2 postgresql9.3 tested on MGA4 x86-64 using the trivial procedure outlined in comment 3. Whiteboard:
has_procedure =>
has_procedure advisory mga4-64-ok Advisory uploaded. Whiteboard marker already added. We use that to denote when the advisory has been uploaded to svn, which is necessary before the packages can be pushed. Please only add it if this has been done. Thanks. Testing on Mageia4x32 real hardware Tested each current postgresql packages --------------------------------------- - postgresql9.0-pl-9.0.17-2.mga4.i586 - postgresql9.1-9.1.13-2.mga4.i586 - postgresql9.2-9.2.8-2.mga4.i586 - postgresql9.3-9.3.4-1.mga4.i586 Procedure used : -------------- Based on testing procedure mentionned in Comment 5 : # service postgresql start # systemctl restart httpd # su - postgres $ pgbench -i $ pgbench And then created drupal installation and verified in each drupal site created in reports windows I was using corresponding postgresql version (Database system PostgreSQL OK Database system version 9.0.17) # service postgresql stop # rm -r -f /var/lib/pgsql/data/ Tested each updated testing postgreql packages (9.0, 9.1, 9.2, 9.3) ------------------------------------------------------------------- Using same procedure (pgbench and drupal site installation) All OK CC:
(none) =>
olchal Bug 15309 created for rationalising postgresql versions in mga5 before release. Validating. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0069.html Status:
NEW =>
RESOLVED |