Bug 27017

Summary: postgresql-jdbc new security issue CVE-2020-13692
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: postgresql-jdbc-42.2.5-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-07-29 21:14:36 CEST 
RedHat has issued an advisory on July 28:
https://access.redhat.com/errata/RHSA-2020:3176

The issue is fixed upstream in 42.2.13.

Cauldron has been updated.

Fedora backported a patch to 42.2.12, but it doesn't apply to 42.2.5:
https://src.fedoraproject.org/rpms/postgresql-jdbc/c/d23878b27a45138f1b5ed3bfbd51b99060b59551?branch=master
Comment 1 David Walser 2020-07-29 21:16:24 CEST 
RHEL8 patched 42.2.3 in the advisory in Comment 0.  It does apply:
https://git.centos.org/rpms/postgresql-jdbc/c/50b54c6ba11f28b6dfa39c373a00789dcbdf54b2?branch=c8
Comment 2 David Walser 2020-07-29 21:22:33 CEST 
Advisory:
========================

Updated postgresql-jdbc packages fix security vulnerability:

XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13692
https://access.redhat.com/errata/RHSA-2020:3176
========================

Updated packages in core/updates_testing:
========================
postgresql-jdbc-42.2.5-1.1.mga7
postgresql-jdbc-javadoc-42.2.5-1.1.mga7

from postgresql-jdbc-42.2.5-1.1.mga7.src.rpm

Assignee: java => qa-bugs

Comment 3 David Walser 2020-07-29 21:22:53 CEST 
Full details of this vulnerability are here:
https://blog.daviddworken.com/posts/pgjdbc-xxe/
Comment 4 Herman Viaene 2020-08-03 11:08:15 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Trying to make a connection to postgres running on my desktop PC, but I don't feel like installing a full java development configuration.
Trying to make a libreoffice connection, but I am not sure this would be using then package?

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2020-08-03 12:23:15 CEST 
Got the libreoffice connection working, but it does not use anything of the files under test.
Giving up on clean install.
Comment 6 Brian Rockwell 2020-08-05 05:33:32 CEST 
- Set up Postgresql 11 server on a VM
- wrote a short test piece of code in java and compiled it.

 java -cp .:/usr/share/java/postgresql-jdbc.jar postMain
Connected to the PostgreSQL server successfully.
row count3


Ran it before and after the update.  In both cases the jdbc driver was working.  I did not test the vulnerability as that is a bit more indepth than I have bandwidth for.

Works for me.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-08-11 02:00:31 CEST 
We'll go with it. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2020-08-18 16:56:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-08-18 19:42:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0319.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED