Bug 25260

Assigning to our registered maintainer of postgresql11
CC'ing our regigstered maintainers of postgresql9.4 and 9.6

CC: (none) => cjw, joequant, marja11
Assignee: bugsquad => mageia

Suggested advisory:
========================
Updated postgresql9.4, postgresql9.6 postgresql11 packages fix security vulnerabilities:

Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text) is exact. [1]

Memory disclosure in cross-type comparison for hashed subplan:
In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples. [2]

This update also fixes over 40 bugs that were reported in the last several months. [3]

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10209
[3] https://www.postgresql.org/about/news/1960/
========================

Updated packages in core/updates_testing:
========================
mga6:
postgresql9.4-9.4.24-1.mga6
libpq5.7-9.4.24-1.mga6
libecpg9.4_6-9.4.24-1.mga6
postgresql9.4-server-9.4.24-1.mga6
postgresql9.4-docs-9.4.24-1.mga6.noarch
postgresql9.4-contrib-9.4.24-1.mga6
postgresql9.4-devel-9.4.24-1.mga6
postgresql9.4-pl-9.4.24-1.mga6
postgresql9.4-plpython-9.4.24-1.mga6
postgresql9.4-plperl-9.4.24-1.mga6
postgresql9.4-pltcl-9.4.24-1.mga6
postgresql9.4-plpgsql-9.4.24-1.mga6
postgresql9.4-debuginfo-9.4.24-1.mga6

postgresql9.6-9.6.15-1.mga6
libpq5.9-9.6.15-1.mga6
libecpg9.6_6-9.6.15-1.mga6
postgresql9.6-server-9.6.15-1.mga6
postgresql9.6-docs-9.6.15-1.mga6
postgresql9.6-contrib-9.6.15-1.mga6
postgresql9.6-devel-9.6.15-1.mga6
postgresql9.6-pl-9.6.15-1.mga6
postgresql9.6-plpython-9.6.15-1.mga6
postgresql9.6-plperl-9.6.15-1.mga6
postgresql9.6-pltcl-9.6.15-1.mga6
postgresql9.6-plpgsql-9.6.15-1.mga6
postgresql9.6-debugsource-9.6.15-1.mga6
postgresql9.6-debuginfo-9.6.15-1.mga6
libpq5.9-debuginfo-9.6.15-1.mga6
libecpg9.6_6-debuginfo-9.6.15-1.mga6
postgresql9.6-server-debuginfo-9.6.15-1.mga6
postgresql9.6-contrib-debuginfo-9.6.15-1.mga6
postgresql9.6-devel-debuginfo-9.6.15-1.mga6
postgresql9.6-plpython-debuginfo-9.6.15-1.mga6
postgresql9.6-plperl-debuginfo-9.6.15-1.mga6
postgresql9.6-pltcl-debuginfo-9.6.15-1.mga6
postgresql9.6-plpgsql-debuginfo-9.6.15-1.mga6


mga7:
postgresql9.6-9.6.15-1.mga7
libpq5.9-9.6.15-1.mga7
libecpg9.6_6-9.6.15-1.mga7
postgresql9.6-server-9.6.15-1.mga7
postgresql9.6-docs-9.6.15-1.mga7
postgresql9.6-contrib-9.6.15-1.mga7
postgresql9.6-devel-9.6.15-1.mga7
postgresql9.6-pl-9.6.15-1.mga7
postgresql9.6-plpython-9.6.15-1.mga7
postgresql9.6-plperl-9.6.15-1.mga7
postgresql9.6-pltcl-9.6.15-1.mga7
postgresql9.6-plpgsql-9.6.15-1.mga7
postgresql9.6-debugsource-9.6.15-1.mga7
postgresql9.6-debuginfo-9.6.15-1.mga7
libpq5.9-debuginfo-9.6.15-1.mga7
libecpg9.6_6-debuginfo-9.6.15-1.mga7
postgresql9.6-server-debuginfo-9.6.15-1.mga7
postgresql9.6-contrib-debuginfo-9.6.15-1.mga7
postgresql9.6-devel-debuginfo-9.6.15-1.mga7
postgresql9.6-plpython-debuginfo-9.6.15-1.mga7
postgresql9.6-plperl-debuginfo-9.6.15-1.mga7
postgresql9.6-pltcl-debuginfo-9.6.15-1.mga7
postgresql9.6-plpgsql-debuginfo-9.6.15-1.mga7

postgresql11-11.5-1.mga7
lib64pq5-11.5-1.mga7
lib64ecpg11_6-11.5-1.mga7
postgresql11-server-11.5-1.mga7
postgresql11-docs-11.5-1.mga7
postgresql11-contrib-11.5-1.mga7
postgresql11-devel-11.5-1.mga7
postgresql11-pl-11.5-1.mga7
postgresql11-plpython-11.5-1.mga7
postgresql11-plpython3-11.5-1.mga7
postgresql11-plperl-11.5-1.mga7
postgresql11-pltcl-11.5-1.mga7
postgresql11-plpgsql-11.5-1.mga7
postgresql11-debugsource-11.5-1.mga7
postgresql11-debuginfo-11.5-1.mga7
lib64pq5-debuginfo-11.5-1.mga7
lib64ecpg11_6-debuginfo-11.5-1.mga7
postgresql11-server-debuginfo-11.5-1.mga7
postgresql11-contrib-debuginfo-11.5-1.mga7
postgresql11-devel-debuginfo-11.5-1.mga7
postgresql11-plpython-debuginfo-11.5-1.mga7
postgresql11-plpython3-debuginfo-11.5-1.mga7
postgresql11-plperl-debuginfo-11.5-1.mga7
postgresql11-pltcl-debuginfo-11.5-1.mga7
postgresql11-plpgsql-debuginfo-11.5-1.mga7

Source RPMs: 
postgresql9.4-9.4.24-1.mga6.src.rpm
postgresql9.6-9.6.15-1.mga6.src.rpm

postgresql9.6-9.6.15-1.mga7.src.rpm
postgresql11-11.5-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Thanks.  Feel free to remove postgresql9.6 from Cauldron, as it won't be shipped in Mageia 8.


Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary
SQL under the identity of the function owner. An attack requires EXECUTE
permission on the function, which must itself contain a function call having
inexact argument type match. For example, length('foo'::varchar) and
length('foo') are inexact, while length('foo'::text) is exact (CVE-2019-10208).

In a database containing hypothetical, user-defined hash equality operators,
an attacker could read arbitrary bytes of server memory. For an attack to
become possible, a superuser would need to create unusual operators. It is
possible for operators not purpose-crafted for attack to have the properties
that enable an attack, but we are not aware of specific examples
(CVE-2019-10209).

This update also fixes over 40 bugs that were reported in the last several
months.  See the upstream release notes for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10209
https://www.postgresql.org/docs/9.4/release-9-4-24.html
https://www.postgresql.org/docs/9.6/release-9-6-15.html
https://www.postgresql.org/docs/11/release-11-5.html
https://www.postgresql.org/about/news/1960/

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

MGA7 - VM instance 64-bit

Postgres 11-11.5.1 testing

ug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-pl-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-devel-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plperl-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plpython-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plpython3-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-pltcl-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-contrib-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-docs-11.4-1.mga7.noarch: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-server-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-11.4-1.mga7.x86_64: success
Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plpgsql-11.4-1.mga7.x86_64: success
Aug 16 12:59:03 linux.local [RPM][2390]: install postgresql11-11.5-1.mga7.x86_64: success
Aug 16 12:59:04 linux.local [RPM][2390]: install postgresql11-plpgsql-11.5-1.mga7.x86_64: success
Aug 16 12:59:09 linux.local systemd-tmpfiles[2510]: [/usr/lib/tmpfiles.d/postgresql.conf:1] Line references path below legacy directory /var/run/, updating /var/run/postgresql → /run/postgresql; please update the tmpfiles.d/ drop-in file accordingly.
Aug 16 12:59:09 linux.local [RPM][2390]: install postgresql11-server-11.5-1.mga7.x86_64: success
Aug 16 12:59:10 linux.local [RPM][2390]: install postgresql11-plpython-11.5-1.mga7.x86_64: success
Aug 16 12:59:11 linux.local [RPM][2390]: install postgresql11-pltcl-11.5-1.mga7.x86_64: success
Aug 16 12:59:11 linux.local [RPM][2390]: install postgresql11-plpython3-11.5-1.mga7.x86_64: success
Aug 16 12:59:12 linux.local [RPM][2390]: install postgresql11-plperl-11.5-1.mga7.x86_64: success
Aug 16 12:59:17 linux.local [RPM][2390]: install postgresql11-devel-11.5-1.mga7.x86_64: success
Aug 16 12:59:17 linux.local [RPM][2390]: install postgresql11-pl-11.5-1.mga7.x86_64: success
Aug 16 12:59:20 linux.local [RPM][2390]: install postgresql11-contrib-11.5-1.mga7.x86_64: success
Aug 16 12:59:25 linux.local [RPM][2390]: install postgresql11-docs-11.5-1.mga7.noarch: success
Aug 16 12:59:27 linux.local [RPM][2390]: erase postgresql11-pl-11.4-1.mga7.x86_64: success
Aug 16 12:59:29 linux.local [RPM][2390]: erase postgresql11-devel-11.4-1.mga7.x86_64: success
Aug 16 12:59:32 linux.local [RPM][2390]: erase postgresql11-plperl-11.4-1.mga7.x86_64: success
Aug 16 12:59:33 linux.local [RPM][2390]: erase postgresql11-plpython-11.4-1.mga7.x86_64: success
Aug 16 12:59:34 linux.local [RPM][2390]: erase postgresql11-plpython3-11.4-1.mga7.x86_64: success
Aug 16 12:59:34 linux.local [RPM][2390]: erase postgresql11-pltcl-11.4-1.mga7.x86_64: success
Aug 16 12:59:35 linux.local [RPM][2390]: erase postgresql11-contrib-11.4-1.mga7.x86_64: success
Aug 16 12:59:36 linux.local [RPM][2390]: erase postgresql11-docs-11.4-1.mga7.noarch: success
Aug 16 12:59:38 linux.local [RPM][2390]: erase postgresql11-server-11.4-1.mga7.x86_64: success
Aug 16 12:59:39 linux.local [RPM][2390]: erase postgresql11-11.4-1.mga7.x86_64: success
Aug 16 12:59:42 linux.local [RPM][2390]: erase postgresql11-plpgsql-11.4-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local systemd-tmpfiles[2549]: [/usr/lib/tmpfiles.d/postgresql.conf:1] Line references path below legacy directory /var/run/, updating /var/run/postgresql → /run/postgresql; please update the tmpfiles.d/ drop-in file accordingly.
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plpgsql-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-server-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plpython-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-pltcl-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plpython3-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plperl-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-devel-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-pl-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-contrib-11.5-1.mga7.x86_64: success
Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-docs-11.5-1.mga7.noarch: success


So, this is a replacement for postgres 11.4.  I rebooted the system, started postgres services and enabled apache with nextcloud.

Nextcloud worked as designed.

CC: (none) => brtians1

MGA7 - 64bit VM running GNOME

$ uname -a
Linux linux.local 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux



- glibc-devel-2.29-13.mga7.x86_64
- kernel-userspace-headers-5.2.7-1.mga7.x86_64
- lib64ecpg9.6_6-9.6.15-1.mga7.x86_64
- lib64openssl-devel-1.1.0j-1.mga7.x86_64
- lib64pq5.9-9.6.15-1.mga7.x86_64
- lib64xcrypt-devel-4.4.6-1.mga7.x86_64
- lib64zlib-devel-1.2.11-7.mga7.x86_64
- multiarch-utils-1.0.14-2.mga7.noarch
- postgresql9.6-9.6.15-1.mga7.x86_64
- postgresql9.6-contrib-9.6.15-1.mga7.x86_64
- postgresql9.6-devel-9.6.15-1.mga7.x86_64
- postgresql9.6-docs-9.6.15-1.mga7.noarch
- postgresql9.6-pl-9.6.15-1.mga7.x86_64
- postgresql9.6-plperl-9.6.15-1.mga7.x86_64
- postgresql9.6-plpgsql-9.6.15-1.mga7.x86_64
- postgresql9.6-plpython-9.6.15-1.mga7.x86_64
- postgresql9.6-pltcl-9.6.15-1.mga7.x86_64
- postgresql9.6-server-9.6.15-1.mga7.x86_64


Afterwards I installed Nextcloud and configured it for postgres.  It worked as designed.  I was able to enable files.  I'm giving mga7-64-ok

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

MGA6 - Xfce - x86_64

$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


- glibc-devel-2.22-29.mga6.x86_64
- kernel-userspace-headers-4.14.137-1.mga6.x86_64
- lib64ecpg9.4_6-9.4.24-1.mga6.x86_64
- lib64openssl-devel-1.0.2r-1.mga6.x86_64
- lib64ossp_uuid16-1.6.2-16.mga6.x86_64
- lib64pq5.7-9.4.24-1.mga6.x86_64
- lib64zlib-devel-1.2.11-4.1.mga6.x86_64
- postgresql9.4-9.4.24-1.mga6.x86_64
- postgresql9.4-contrib-9.4.24-1.mga6.x86_64
- postgresql9.4-devel-9.4.24-1.mga6.x86_64
- postgresql9.4-docs-9.4.24-1.mga6.noarch
- postgresql9.4-pl-9.4.24-1.mga6.x86_64
- postgresql9.4-plperl-9.4.24-1.mga6.x86_64
- postgresql9.4-plpgsql-9.4.24-1.mga6.x86_64
- postgresql9.4-plpython-9.4.24-1.mga6.x86_64
- postgresql9.4-pltcl-9.4.24-1.mga6.x86_64
- postgresql9.4-server-9.4.24-1.mga6.x86_64

I installed nextcloud server and started all services.

Able to add document - this is working as designed.

MGA6 - Xfce - x86_64

$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Upgraded postgres from 9.4.9 to 9.6.15 after stopping all services, restarted and then tested again.  Working as designed.

- lib64ecpg9.6_6-9.6.15-1.mga6.x86_64
- postgresql9.6-9.6.15-1.mga6.x86_64
- postgresql9.6-contrib-9.6.15-1.mga6.x86_64
- postgresql9.6-devel-9.6.15-1.mga6.x86_64
- postgresql9.6-docs-9.6.15-1.mga6.noarch
- postgresql9.6-pl-9.6.15-1.mga6.x86_64
- postgresql9.6-plperl-9.6.15-1.mga6.x86_64
- postgresql9.6-plpgsql-9.6.15-1.mga6.x86_64
- postgresql9.6-plpython-9.6.15-1.mga6.x86_64
- postgresql9.6-pltcl-9.6.15-1.mga6.x86_64
- postgresql9.6-server-9.6.15-1.mga6.x86_64

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK

$ uname -a
Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:49:38 UTC 2019 i686 i686 i386 GNU/Linux

- glibc-devel-2.29-13.mga7.i586
- kernel-userspace-headers-5.2.7-1.mga7.i586
- libecpg9.6_6-9.6.15-1.mga7.i586
- libopenssl-devel-1.1.0j-1.mga7.i586
- libpq5.9-9.6.15-1.mga7.i586
- libxcrypt-devel-4.4.6-1.mga7.i586
- libzlib-devel-1.2.11-7.mga7.i586
- multiarch-utils-1.0.14-2.mga7.noarch
- postgresql9.6-9.6.15-1.mga7.i586
- postgresql9.6-contrib-9.6.15-1.mga7.i586
- postgresql9.6-devel-9.6.15-1.mga7.i586
- postgresql9.6-docs-9.6.15-1.mga7.noarch
- postgresql9.6-pl-9.6.15-1.mga7.i586
- postgresql9.6-plperl-9.6.15-1.mga7.i586
- postgresql9.6-plpgsql-9.6.15-1.mga7.i586
- postgresql9.6-plpython-9.6.15-1.mga7.i586
- postgresql9.6-pltcl-9.6.15-1.mga7.i586
- postgresql9.6-server-9.6.15-1.mga7.i586

Services started properly.  I installed Nextcloud and initialized it.

Able to promoted documents

Working as designed.

MGA7 - 32bit - Mate

$ uname -a
Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:49:38 UTC 2019 i686 i686 i386 GNU/Linux


- libecpg11_6-11.5-1.mga7.i586
- postgresql11-11.5-1.mga7.i586
- postgresql11-contrib-11.5-1.mga7.i586
- postgresql11-devel-11.5-1.mga7.i586
- postgresql11-docs-11.5-1.mga7.noarch
- postgresql11-pl-11.5-1.mga7.i586
- postgresql11-plperl-11.5-1.mga7.i586
- postgresql11-plpgsql-11.5-1.mga7.i586
- postgresql11-plpython-11.5-1.mga7.i586
- postgresql11-plpython3-11.5-1.mga7.i586
- postgresql11-pltcl-11.5-1.mga7.i586
- postgresql11-server-11.5-1.mga7.i586

started all of the services for postgres and http and ran Nextcloud

Working as designed.

Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK MGA7-32-OK

MGA6 - 32bit - Mate

$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux


- glibc-devel-2.22-29.mga6.i586
- kernel-userspace-headers-4.14.137-1.mga6.i586
- libecpg9.6_6-9.6.15-1.mga6.i586
- libopenssl-devel-1.0.2r-1.mga6.i586
- libpq5-9.6.15-1.mga6.i586
- libzlib-devel-1.2.11-4.1.mga6.i586
- postgresql9.6-9.6.15-1.mga6.i586
- postgresql9.6-contrib-9.6.15-1.mga6.i586
- postgresql9.6-devel-9.6.15-1.mga6.i586
- postgresql9.6-docs-9.6.15-1.mga6.noarch
- postgresql9.6-pl-9.6.15-1.mga6.i586
- postgresql9.6-plperl-9.6.15-1.mga6.i586
- postgresql9.6-plpgsql-9.6.15-1.mga6.i586
- postgresql9.6-plpython-9.6.15-1.mga6.i586
- postgresql9.6-pltcl-9.6.15-1.mga6.i586
- postgresql9.6-server-9.6.15-1.mga6.i586

repeated the routine of installing nextcloud and checking in files.

worked as designed.

MGA6 - 32bit - Mate

$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux

This time I was more selective for 9.4

- libossp_uuid16-1.6.2-16.mga6.i586
- libpq5.7-9.4.24-1.mga6.i586
- postgresql9.4-9.4.24-1.mga6.i586
- postgresql9.4-plpgsql-9.4.24-1.mga6.i586
- postgresql9.4-server-9.4.24-1.mga6.i586

installed nextcloud 13 - it worked without issue with postgres

Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK MGA7-32-OK => MGA6TOO MGA7-64-OK MGA6-64-OK MGA7-32-OK MGA6-32-OK

Validating. Advisory in Comment 2, and revised in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0225.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED