Bug 16924

Summary: postgresql new security issues fixed in 9.3.10 and 9.4.5 (CVE-2015-5288, CVE-2015-5289)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjw, davidwhodgins, lewyssmith, mageia, ngompa13, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/661066/
Whiteboard: advisory MGA5-64-OK
Source RPM: postgresql9.3, postgresql9.4 CVE:
Status comment:

Description David Walser 2015-10-08 19:53:24 CEST 
Upstream has announced new versions today (October 8):
http://www.postgresql.org/about/news/1615/

Two security issues have been fixed.

Reproducible: 

Steps to Reproduce:
David Walser 2015-10-08 19:53:44 CEST

CC: (none) => cjw
Whiteboard: (none) => MGA5TOO

Sander Lepik 2015-10-11 19:01:12 CEST

Hardware: i586 => All
CC: (none) => mageia
Assignee: bugsquad => cjw

Comment 1 David Walser 2015-10-16 18:54:07 CEST 
Ubuntu has issued an advisory for this today (October 16):
http://www.ubuntu.com/usn/usn-2772-1/

URL: (none) => http://lwn.net/Vulnerabilities/661066/

Comment 2 Neal Gompa 2015-10-21 23:02:53 CEST 
Updated versions committed to SVN for mga5 and cauldron (mga6)

CC: (none) => ngompa13

Comment 3 Neal Gompa 2015-10-21 23:52:28 CEST 
Advisory:
========================================================
Updated postgresql packages fix security vulnerabilities


Josh Kupershmidt discovered the pgCrypto extension could expose
several bytes of server memory if the crypt() function was provided a
too-short salt. An attacker could use this flaw to read private data.
(CVE-2015-5288)

Oskari Saarenmaa discovered that the json and jsonb handlers could exhaust
available stack space. An attacker could use this flaw to perform a denial
of service attack. (CVE-2015-5289)

The postgresql9.3 and postgresql9.4 packages have been updated to versions 
9.3.10 and 9.4.5, respectively, to fix these issues.
See the upstream release notes for more details.

References:
https://bugs.mageia.org/show_bug.cgi?id=16924
http://www.postgresql.org/about/news/1615/
http://www.ubuntu.com/usn/usn-2772-1/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5289
========================================================


Updated packages in core/updates_testing:
========================================================
postgresql9.3-9.3.10-1.mga5
libpq9.3_5.6-9.3.10-1.mga5
libecpg9.3_6-9.3.10-1.mga5
postgresql9.3-server-9.3.10-1.mga5
postgresql9.3-docs-9.3.10-1.mga5
postgresql9.3-contrib-9.3.10-1.mga5
postgresql9.3-devel-9.3.10-1.mga5
postgresql9.3-pl-9.3.10-1.mga5
postgresql9.3-plpython-9.3.10-1.mga5
postgresql9.3-plperl-9.3.10-1.mga5
postgresql9.3-pltcl-9.3.10-1.mga5
postgresql9.3-plpgsql-9.3.10-1.mga5
postgresql9.3-debuginfo-9.3.10-1.mga5
postgresql9.4-9.4.5-1.mga5
libpq5-9.4.5-1.mga5
libecpg9.4_6-9.4.5-1.mga5
postgresql9.4-server-9.4.5-1.mga5
postgresql9.4-docs-9.4.5-1.mga5
postgresql9.4-contrib-9.4.5-1.mga5
postgresql9.4-devel-9.4.5-1.mga5
postgresql9.4-pl-9.4.5-1.mga5
postgresql9.4-plpython-9.4.5-1.mga5
postgresql9.4-plperl-9.4.5-1.mga5
postgresql9.4-pltcl-9.4.5-1.mga5
postgresql9.4-plpgsql-9.4.5-1.mga5
postgresql9.4-debuginfo-9.4.5-1.mga5

From SRPMS:
postgresql9.3-9.3.10-1.mga5.src.rpm
postgresql9.4-9.4.5-1.mga5.src.rpm
Neal Gompa 2015-10-22 00:33:29 CEST

Assignee: cjw => qa-bugs

Comment 4 Neal Gompa 2015-10-22 00:34:07 CEST 
Advisory in comment #3.
Comment 5 Neal Gompa 2015-10-22 08:16:58 CEST 
The packages referenced in comment #3 have now hit the updates_testing repository for mga5.
David Walser 2015-10-22 18:37:47 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Dave Hodgins 2015-10-25 23:19:58 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 6 Lewis Smith 2015-10-27 14:07:59 CET 
Testing M5 x64 real hardware, PostgreSQL 9.3.

I had a mixture of 9.3 (server) & 9.4 bits, which caused havoc in Updates Testing; so for sanity I reverted the 9.4 bits to 9.3:
 postgresql9.3-9.3.9-1.mga5
 postgresql9.3-server-9.3.9-1.mga5
 postgresql9.3-plpgsql-9.3.9-1.mga5
 postgresql9.3-devel-9.3.9-1.mga5

CC: (none) => lewyssmith

Comment 7 Lewis Smith 2015-10-27 14:19:49 CET 
[Previous comment truncated]

Testing M5 x64 real hardware, PostgreSQL 9.3.

BEFORE update:
I had a mixture of 9.3 (server) & 9.4 bits, which caused havoc in Updates Testing; so for sanity I reverted the 9.4 bits to 9.3:
 postgresql9.3-9.3.9-1.mga5
 postgresql9.3-server-9.3.9-1.mga5
 postgresql9.3-plpgsql-9.3.9-1.mga5
 postgresql9.3-devel-9.3.9-1.mga5
 plus the eqivalent libs lib64pq9.3 [PQ9] & lib64ecpg9.3 [PG9].
Confirmed that the dependant applications worked: 'psql' console command, PhpPgAdmin, MediaWiki, Drupal.

AFTER update to:
 postgresql9.3-server-9.3.10-1.mga5
 postgresql9.3-9.3.10-1.mga5
 postgresql9.3-devel-9.3.10-1.mga5
 postgresql9.3-plpgsql-9.3.10-1.mga5
 lib64ecpg9.3_6-9.3.10-1.mga5
 lib64pq9.3_5.6-9.3.10-1.mga5
Re-started the Postgres server (in case). The 4 applications noted above still worked OK.

Update deemed OK for 9.3. If a 32-bit tester could try 9.4, that would catch both variables.

Whiteboard: advisory => advisory MGA5-64-OK

claire robinson 2015-11-02 13:42:06 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-11-02 21:22:19 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0420.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED