Bug 24996

Assigning to our registered postgresql11 maintainer.

Assignee: bugsquad => mageia
CC: (none) => marja11

Suggested advisory:
========================
Updated psotgresql11 packages fix security vulnerabilities:
An authenticated user could create a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could be further exploited to execute arbitrary code as the PostgreSQL operating system account.

Additionally, a rogue server could send a specifically crafted message during the SCRAM authentication process and cause a libpq-enabled client to either crash or execute arbitrary code as the client's operating system account. [1]

More than 25 other bugs have been fixed too. [2]

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164
[2] https://www.postgresql.org/about/news/1949/
========================

Updated packages in core/updates_testing:
========================
postgresql11-11.4-1.mga7
lib64pq5-11.4-1.mga7
lib64ecpg11_6-11.4-1.mga7
postgresql11-server-11.4-1.mga7
postgresql11-docs-11.4-1.mga7
postgresql11-contrib-11.4-1.mga7
postgresql11-devel-11.4-1.mga7
postgresql11-pl-11.4-1.mga7
postgresql11-plpython-11.4-1.mga7
postgresql11-plpython3-11.4-1.mga7
postgresql11-plperl-11.4-1.mga7
postgresql11-pltcl-11.4-1.mga7
postgresql11-plpgsql-11.4-1.mga7
postgresql11-debugsource-11.4-1.mga7
postgresql11-debuginfo-11.4-1.mga7
lib64pq5-debuginfo-11.4-1.mga7
lib64ecpg11_6-debuginfo-11.4-1.mga7
postgresql11-server-debuginfo-11.4-1.mga7
postgresql11-contrib-debuginfo-11.4-1.mga7
postgresql11-devel-debuginfo-11.4-1.mga7
postgresql11-plpython-debuginfo-11.4-1.mga7
postgresql11-plpython3-debuginfo-11.4-1.mga7
postgresql11-plperl-debuginfo-11.4-1.mga7
postgresql11-pltcl-debuginfo-11.4-1.mga7
postgresql11-plpgsql-debuginfo-11.4-1.mga7

SRPM:
postgresql11-11.4-1.mga7.src.rpm

Assignee: mageia => qa-bugs

$ uname -a
Linux linux.local 5.1.14-desktop-1.mga7 #1 SMP Sat Jun 22 10:35:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


The following 20 packages are going to be installed:

- glibc-devel-2.29-13.mga7.x86_64
- kernel-userspace-headers-5.1.16-1.mga7.x86_64
- lib64ecpg11_6-11.4-1.mga7.x86_64
- lib64openssl-devel-1.1.0j-1.mga7.x86_64
- lib64pq5-11.4-1.mga7.x86_64
- lib64xcrypt-devel-4.4.6-1.mga7.x86_64
- lib64zlib-devel-1.2.11-7.mga7.x86_64
- meta-task-7-1.1.mga7.noarch
- multiarch-utils-1.0.14-2.mga7.noarch
- postgresql11-11.4-1.mga7.x86_64
- postgresql11-contrib-11.4-1.mga7.x86_64
- postgresql11-devel-11.4-1.mga7.x86_64
- postgresql11-docs-11.4-1.mga7.noarch
- postgresql11-pl-11.4-1.mga7.x86_64
- postgresql11-plperl-11.4-1.mga7.x86_64
- postgresql11-plpgsql-11.4-1.mga7.x86_64
- postgresql11-plpython-11.4-1.mga7.x86_64
- postgresql11-plpython3-11.4-1.mga7.x86_64
- postgresql11-pltcl-11.4-1.mga7.x86_64
- postgresql11-server-11.4-1.mga7.x86_64

After the install I rebooted the VM.

$ ps -ef | grep post

returned nothing but this command.  So I had to start postgresql

# systemctl start postgresql

(Note the above command may take a minute to finish - don't panic at the disco).

Now I'm seeing activity

[root@linux brian]# ps -ef | grep post
postgres  2158     1  0 09:09 ?        00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
postgres  2160  2158  0 09:09 ?        00:00:00 postgres: checkpointer   
postgres  2161  2158  0 09:09 ?        00:00:00 postgres: background writer   
postgres  2162  2158  0 09:09 ?        00:00:00 postgres: walwriter   
postgres  2163  2158  0 09:09 ?        00:00:00 postgres: autovacuum launcher   
postgres  2164  2158  0 09:09 ?        00:00:00 postgres: stats collector   
postgres  2165  2158  0 09:09 ?        00:00:00 postgres: logical replication launcher   

From root user I su over to postgres user:
# su postgres
[postgres@linux brian]$

I start by creating a db 

postgres@linux home]$ createdb magdb

(note you may get an error that it postgres doesn't have permission to write a file.  That's a log file.)

I now connect to the database I created:

$ psql magdb
psql (11.4)


magdb=# select version();
                                                       version                  
                                     
--------------------------------------------------------------------------------
-------------------------------------
 PostgreSQL 11.4 on x86_64-mageia-linux-gnu, compiled by gcc (Mageia 8.3.1-0.201
90524.1.mga7) 8.3.1 20190524, 64-bit


It seems happy enough.

Now I'll go install nextcloud


After installing nextcloud and all associated services (make sure you include the postgres connector)

# systemctl start httpd

In your favorite browner:  127.0.0.1/nextcloud

Pick out postgresql as the database (if it is not available you either didn't start it or you did not pick the proper nextcloud driver.

Note default postgres database user is postgres and the password is <blank>


I was able to complete the installation and add documents to nextcloud.

Looks like postgres is working as designed.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0204.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED