| Summary: | postgis new security issue(s) fixed upstream in 2.1.3 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | dglent, fundawang, makowski.mageia, qa-bugs, shlomif, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/641108/ | ||
| Whiteboard: | advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | postgis-2.1.3-4.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-20 20:50:29 CEST
David Walser
2015-04-20 20:50:35 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO Dimitrios was the last to work on the qgis package, which requires postgis. Dimitrios, can you help with this package? CC:
(none) =>
dglent I will try to update it CC:
(none) =>
makowski.mageia
David Walser
2015-05-04 23:51:15 CEST
Blocks:
(none) =>
14674 postgis-2.1.7-1.mga4 is in 4/testing freeze push asked for postgis-2.1.7-2.mga5
Philippe Makowski
2015-05-06 20:35:09 CEST
Assignee:
fundawang =>
qa-bugs Thanks Philippe! We'll hold off on assigning to QA until it's pushed in Cauldron. CC:
(none) =>
fundawang, qa-bugs Updated packages uploaded for Mageia 4 and Cauldron. I finally see where the security issues are, they were actually fixed in 2.1.3: http://postgis.net/2014/05/19/postgis-2.0.6_and_2.1.3 Advisory: ======================== Updated postgis packages fix security vulnerability: The PostGIS Raster support in PostGIS before 2.1.3 may give more privileges to users than an administrator is willing to grant. These include reading files from the filesystem and opening connections to network hosts. The postgis package has been updated to version 2.1.7, fixing this issue and several other bugs. Please see the upstream release announcements and NEWS for more information. References: http://postgis.net/2013/11/08/postgis-2.1.1 http://postgis.net/2014/03/31/postgis-2.1.2 http://postgis.net/2014/05/19/postgis-2.0.6_and_2.1.3 http://postgis.net/2014/09/10/postgis-2.1.4 http://postgis.net/2014/12/18/postgis-2.1.5 http://postgis.net/2015/03/20/postgis-2.1.6 http://postgis.net/2015/04/06/postgis-2.1.7 http://svn.osgeo.org/postgis/tags/2.1.7/NEWS https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154704.html ======================== Updated packages in core/updates_testing: ======================== postgis-2.1.7-1.mga4 libpostgis-devel-2.1.7-1.mga4 from postgis-2.1.7-1.mga4.src.rpm Version:
Cauldron =>
4
David Walser
2015-05-06 21:13:36 CEST
Summary:
postgis new security issue(s) fixed upstream in 2.1.6 =>
postgis new security issue(s) fixed upstream in 2.1.3 To be clear, the Fedora advisory claims there were security fixes in 2.1.6 itself, and they were updating it from 2.1.3, but I still have no idea what exactly they were referring to. Testing complete mga4 32 Just ensuring it updates cleanly during mga5 final release cycle. Whiteboard:
(none) =>
mga4-32-ok Advisory uploaded. Whiteboard:
mga4-32-ok =>
advisory mga4-32-ok (In reply to claire robinson from comment #7) > Testing complete mga4 32 > > Just ensuring it updates cleanly during mga5 final release cycle. It updates cleanly on a Mageia 4 x86-64 VBox VM. Should we MGA4-64-OK it? CC:
(none) =>
shlomif Yes please. Doing so now. Validating. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0207.html Status:
NEW =>
RESOLVED |