| Summary: | postgresql new security issue CVE-2020-1720 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | postgresql12, postgresql11, postgresql9.6 | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-02-13 21:26:27 CET
David Walser
2020-02-13 21:26:39 CET
Whiteboard:
(none) =>
MGA7TOO Assigning to Joseph for 9.6 & 12; CC'ing Marc for 11. Assignee:
bugsquad =>
joequant pushed all versions to build system, since it is currently very busy, it can take some time... @Joseph, do you want to take pg11 too? I was just helping out while you were unavailable. Advisory: ======================== Updated postgresql9.6 and postgresql11 packages fix security vulnerability: The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION (CVE-2020-1720). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1720 https://www.postgresql.org/about/news/2011/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.6-9.6.17-1.mga7 libpq5.9-9.6.17-1.mga7 libecpg9.6_6-9.6.17-1.mga7 postgresql9.6-server-9.6.17-1.mga7 postgresql9.6-docs-9.6.17-1.mga7 postgresql9.6-contrib-9.6.17-1.mga7 postgresql9.6-devel-9.6.17-1.mga7 postgresql9.6-pl-9.6.17-1.mga7 postgresql9.6-plpython-9.6.17-1.mga7 postgresql9.6-plperl-9.6.17-1.mga7 postgresql9.6-pltcl-9.6.17-1.mga7 postgresql9.6-plpgsql-9.6.17-1.mga7 postgresql11-11.7-1.mga7 libpq5-11.7-1.mga7 libecpg11_6-11.7-1.mga7 postgresql11-server-11.7-1.mga7 postgresql11-docs-11.7-1.mga7 postgresql11-contrib-11.7-1.mga7 postgresql11-devel-11.7-1.mga7 postgresql11-pl-11.7-1.mga7 postgresql11-plpython-11.7-1.mga7 postgresql11-plpython3-11.7-1.mga7 postgresql11-plperl-11.7-1.mga7 postgresql11-pltcl-11.7-1.mga7 postgresql11-plpgsql-11.7-1.mga7 from SRPMS: postgresql9.6-9.6.17-1.mga7.src.rpm postgresql11-11.7-1.mga7.src.rpm Whiteboard:
MGA7TOO =>
(none) MGA7-64 Plasma on Lenovo B50 Installation: I ccould not intall both 9.6 and 11 simultaneously, there was a problem with oneof the lib packages. So installed first the 9.6, together with pgadmin and phppgadmin. Used pgadmin after starting postgres to create a new database and in it a new table and a sequence, all seems to work OK. I will continue by trying to add version 11 or if necessary remove 9.6 and then install 11. CC:
(none) =>
herman.viaene Installing postgres11 bumps out 9.6, but the database created with 9.6 survived and could be opened. Added another login role (phppgadmin does not allow the postgres user to login) in pgadmin and used then phppgamin to create a primary key for the table defined in the 9.6 test. Checked visibility in pgadmin of the changes made using phppgadmin. All looks OK. More tests needed for OK'ing??? Sounds good Herman.
Herman Viaene
2020-02-19 14:49:00 CET
Whiteboard:
(none) =>
MGA7-64-OK Validating, then. Advisory in Comment 3. Keywords:
(none) =>
validated_update
Thomas Backlund
2020-02-21 22:09:29 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0095.html Status:
NEW =>
RESOLVED |