Bug 28373

Various packagers are involved, who are CC'd while nominally assigning this globally.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant, mageia, nicolas.salguero

Ubuntu has issued an advisory for this on February 15:
https://ubuntu.com/security/notices/USN-4735-1

Severity: normal => major

src:

   - mageia 7
        - postgresql9.6-9.6.21-1.mga7
        - postgresql11-11.11-1.mga7

   - mageia 8 
        - postgresql11-11.11-1.mga8
        - postgresql13-13.2-1.mga8

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8

RPMS list:
postgresql9.6-9.6.21-1.mga7
libpq5.9-9.6.21-1.mga7
libecpg9.6_6-9.6.21-1.mga7
postgresql9.6-server-9.6.21-1.mga7
postgresql9.6-docs-9.6.21-1.mga7
postgresql9.6-contrib-9.6.21-1.mga7
postgresql9.6-devel-9.6.21-1.mga7
postgresql9.6-pl-9.6.21-1.mga7
postgresql9.6-plpython-9.6.21-1.mga7
postgresql9.6-plperl-9.6.21-1.mga7
postgresql9.6-pltcl-9.6.21-1.mga7
postgresql9.6-plpgsql-9.6.21-1.mga7
postgresql11-11.11-1.mga7
libpq5-11.11-1.mga7
libecpg11_6-11.11-1.mga7
postgresql11-server-11.11-1.mga7
postgresql11-docs-11.11-1.mga7
postgresql11-contrib-11.11-1.mga7
postgresql11-devel-11.11-1.mga7
postgresql11-pl-11.11-1.mga7
postgresql11-plpython-11.11-1.mga7
postgresql11-plpython3-11.11-1.mga7
postgresql11-plperl-11.11-1.mga7
postgresql11-pltcl-11.11-1.mga7
postgresql11-plpgsql-11.11-1.mga7
postgresql11-docs-11.11-1.mga8
postgresql11-11.11-1.mga8
postgresql11-devel-11.11-1.mga8
postgresql11-contrib-11.11-1.mga8
libpq5.11-11.11-1.mga8
postgresql11-plpgsql-11.11-1.mga8
libecpg11_6-11.11-1.mga8
postgresql11-plpython3-11.11-1.mga8
postgresql11-server-11.11-1.mga8
postgresql11-pl-11.11-1.mga8
postgresql11-pltcl-11.11-1.mga8
postgresql11-plperl-11.11-1.mga8
postgresql13-docs-13.2-1.mga8
postgresql13-13.2-1.mga8
postgresql13-devel-13.2-1.mga8
postgresql13-contrib-13.2-1.mga8
postgresql13-server-13.2-1.mga8
libpq5-13.2-1.mga8
libecpg13_6-13.2-1.mga8
postgresql13-plpgsql-13.2-1.mga8
postgresql13-plpython3-13.2-1.mga8
postgresql13-plperl-13.2-1.mga8
postgresql13-pl-13.2-1.mga8
postgresql13-pltcl-13.2-1.mga8

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

A user having an UPDATE privilege on a partitioned table but lacking the SELECT
privilege on some column may be able to acquire denied-column values from an
error message (CVE-2021-3393).

A user having a SELECT privilege on an individual column can craft a special
query that returns all columns of the table. Additionally, a stored view that
uses column-level privileges will have incomplete column-usage bitmaps. In
installations that depend on column-level permissions for security, it is
recommended to execute CREATE OR REPLACE on all user-defined views to force
them to be re-parsed (CVE-2021-20229).

PostgreSQL 11 was only affected by CVE-2021-3393 and both PostgreSQL 11 and 13
were affected by CVE-2021-20229.  PostgreSQL 9.6 was updated to fix bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20229
https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/

MGA7-64 MATE on Peaq C1011
No installation issues for 9.6
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

# systemctl -l start postgresql

# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-03-04 16:10:15 CET; 6s ago
  Process: 12435 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
  Process: 12450 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
 Main PID: 12452 (postgres)
    Tasks: 6 (limit: 2285)
   Memory: 70.0M
   CGroup: /system.slice/postgresql.service
           ├─12452 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
           ├─12455 postgres: checkpointer process   
           ├─12456 postgres: writer process   
           ├─12457 postgres: wal writer process   
           ├─12458 postgres: autovacuum launcher process   
           └─12459 postgres: stats collector process   

Mar 04 16:10:09 mach7.hviaene.thuis systemd[1]: Starting PostgreSQL database server...
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  database system was shut down at 2021-03-04 16:10:13 CET
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  MultiXact member wraparound protections are now enabled
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  database system is ready to accept connections
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  autovacuum launcher started
Mar 04 16:10:15 mach7.hviaene.thuis systemd[1]: Started PostgreSQL database server.
Continuing testing ......

CC: (none) => herman.viaene

Using pgadmin3, I have been able to connect to localhost, create a new database, a

fingertrouble!!!! Continuing
create a new schema, create a new table with fout columns with a PK and an index.
Looks good for this version.
Will try upgrading to version 11

Installed version 11, this bumps out most - or all of the 9.6 packages.
This stops the database, and restarting fails with error
pg_ctl[17013]: /usr/bin/pg_ctl: error while loading shared libraries: libpq.so.5.9: cannot open shared object file: No such file or directory
This file is from a 9.6 package, reinstalling lib64pq5.9 solves the problem.
# systemctl -l start postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-03-04 17:10:16 CET; 12s ago
  Process: 17342 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
  Process: 17343 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
 Main PID: 17346 (postgres)
    Tasks: 6 (limit: 2285)
   Memory: 14.7M
Once there I coiuld open the database created with 9.6, delete the table, schema and database. And create new ones.
This problem could occur on a fresh install of version 11, as removing this package again, does not seem to harm the database manipulation in pgadmin3, but the database cannot be restarted afterwards.
Otherwise the database is OK.

MGA7 - Vbox

$ uname -a
Linux linux.local 5.10.19-desktop-1.mga7 #1 SMP Fri Feb 26 23:48:09 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


The following 12 packages are going to be installed:

- lib64ecpg9.6_6-9.6.21-1.mga7.x86_64
- lib64pq5.9-9.6.21-1.mga7.x86_64
- postgresql9.6-9.6.21-1.mga7.x86_64
- postgresql9.6-contrib-9.6.21-1.mga7.x86_64
- postgresql9.6-devel-9.6.21-1.mga7.x86_64
- postgresql9.6-docs-9.6.21-1.mga7.noarch
- postgresql9.6-pl-9.6.21-1.mga7.x86_64
- postgresql9.6-plperl-9.6.21-1.mga7.x86_64
- postgresql9.6-plpgsql-9.6.21-1.mga7.x86_64
- postgresql9.6-plpython-9.6.21-1.mga7.x86_64
- postgresql9.6-pltcl-9.6.21-1.mga7.x86_64
- postgresql9.6-server-9.6.21-1.mga7.x86_64


using command line psql I was able to create user, create database, create table, insert data and select data.


postgres=# create database mydb;
create user test with password 'xx';
postgres=# grant all privileges on database mydb to test;
postgres=# \q

now as user test I can connect to mydb using the command:

$ psql mydb

mydb=> create table if not exists books (
book_name varchar(255),
pages integer);

mydb=> insert into books values ('Delta-V', 355);
mydb=> select * from books;
mydb=> create index bindex on brian (books_name);


to describe the table

mydb=> \d books


update and delete worked as well.

mydb=> \q   to quit



works for me.










Seems to work for me.

CC: (none) => brtians1

MGA8 64bit gnome

$ uname -a
Linux localhost 5.10.20-desktop-2.mga8 #1 SMP Fri Mar 5 18:23:13 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

The following 15 packages are going to be installed:

- lib64ecpg13_6-13.2-1.mga8.x86_64
- lib64openssl-devel-1.1.1j-1.mga8.x86_64
- lib64pq5-13.2-1.mga8.x86_64
- lib64zlib-devel-1.2.11-9.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql13-13.2-1.mga8.x86_64
- postgresql13-contrib-13.2-1.mga8.x86_64
- postgresql13-devel-13.2-1.mga8.x86_64
- postgresql13-docs-13.2-1.mga8.noarch
- postgresql13-pl-13.2-1.mga8.x86_64
- postgresql13-plperl-13.2-1.mga8.x86_64
- postgresql13-plpgsql-13.2-1.mga8.x86_64
- postgresql13-plpython3-13.2-1.mga8.x86_64
- postgresql13-pltcl-13.2-1.mga8.x86_64
- postgresql13-server-13.2-1.mga8.x86_64


-- i started services

repeated test system working as best I can tell.

Herman - anything hold this up for approval?

no additional comments updating MGA8 and MGA7 as Herman and I tested both

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK MGA7-64-OK

Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Advisory committed to svn.

Keywords: (none) => advisory
CC: (none) => ouaurelien

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0121.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED