| Summary: | postgresql new security issues CVE-2021-3202[7-9] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | postgresql9.6, postgresql11, postgresql13 | CVE: | CVE-2021-3202[7-9] |
| Status comment: | |||
|
Description
David Walser
2021-05-15 03:01:23 CEST
David Walser
2021-05-15 03:01:32 CEST
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO These 3 SRPMs have mixed maintainers, so assigning this update globally. CC'ing Marc who deals with some of them. CC:
(none) =>
mageia Suggested advisory: ======================== The updated packages fix security vulnerabilities: Buffer overrun from integer overflow in array subscripting calculations. (CVE-2021-32027) Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE. (CVE-2021-32028) Memory disclosure in partitioned-table UPDATE ... RETURNING. (CVE-2021-32029) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32027 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32028 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32029 https://www.postgresql.org/about/news/postgresql-133-127-1112-1017-and-9622-released-2210/ ======================== Updated packages in 7/core/updates_testing: ======================== postgresql9.6-9.6.22-1.mga7 lib(64)pq5.9-9.6.22-1.mga7 lib(64)ecpg9.6_6-9.6.22-1.mga7 postgresql9.6-server-9.6.22-1.mga7 postgresql9.6-docs-9.6.22-1.mga7 postgresql9.6-contrib-9.6.22-1.mga7 postgresql9.6-devel-9.6.22-1.mga7 postgresql9.6-pl-9.6.22-1.mga7 postgresql9.6-plpython-9.6.22-1.mga7 postgresql9.6-plperl-9.6.22-1.mga7 postgresql9.6-pltcl-9.6.22-1.mga7 postgresql9.6-plpgsql-9.6.22-1.mga7 postgresql11-11.12-1.mga7 lib(64)pq5-11.12-1.mga7 lib(64)ecpg11_6-11.12-1.mga7 postgresql11-server-11.12-1.mga7 postgresql11-docs-11.12-1.mga7 postgresql11-contrib-11.12-1.mga7 postgresql11-devel-11.12-1.mga7 postgresql11-pl-11.12-1.mga7 postgresql11-plpython-11.12-1.mga7 postgresql11-plpython3-11.12-1.mga7 postgresql11-plperl-11.12-1.mga7 postgresql11-pltcl-11.12-1.mga7 postgresql11-plpgsql-11.12-1.mga7 from SRPMS: postgresql9.6-9.6.22-1.mga7.src.rpm postgresql11-11.12-1.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== postgresql11-pl-11.12-1.mga8 postgresql11-pltcl-11.12-1.mga8 postgresql11-plperl-11.12-1.mga8 postgresql11-plpgsql-11.12-1.mga8 postgresql11-plpython3-11.12-1.mga8 lib(64)ecpg11_6-11.12-1.mga8 lib(64)pq5.11-11.12-1.mga8 postgresql11-contrib-11.12-1.mga8 postgresql11-11.12-1.mga8 postgresql11-devel-11.12-1.mga8 postgresql11-docs-11.12-1.mga8 postgresql11-server-11.12-1.mga8 postgresql13-13.3-1.mga8 postgresql13-contrib-13.3-1.mga8 lib(64)ecpg13_6-13.3-1.mga8 lib(64)pq5-13.3-1.mga8 postgresql13-plpgsql-13.3-1.mga8 postgresql13-plpython3-13.3-1.mga8 postgresql13-plperl-13.3-1.mga8 postgresql13-pl-13.3-1.mga8 postgresql13-pltcl-13.3-1.mga8 postgresql13-devel-13.3-1.mga8 postgresql13-docs-13.3-1.mga8 postgresql13-server-13.3-1.mga8 from SRPMS: postgresql11-11.12-1.mga8.src.rpm postgresql13-13.3-1.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA7 The following 12 packages are going to be installed: - lib64ecpg9.6_6-9.6.22-1.mga7.x86_64 - lib64pq5.9-9.6.22-1.mga7.x86_64 - postgresql9.6-9.6.22-1.mga7.x86_64 - postgresql9.6-contrib-9.6.22-1.mga7.x86_64 - postgresql9.6-devel-9.6.22-1.mga7.x86_64 - postgresql9.6-docs-9.6.22-1.mga7.noarch - postgresql9.6-pl-9.6.22-1.mga7.x86_64 - postgresql9.6-plperl-9.6.22-1.mga7.x86_64 - postgresql9.6-plpgsql-9.6.22-1.mga7.x86_64 - postgresql9.6-plpython-9.6.22-1.mga7.x86_64 - postgresql9.6-pltcl-9.6.22-1.mga7.x86_64 - postgresql9.6-server-9.6.22-1.mga7.x86_64 -- started service -- created table inserted values selected values seems to work for 9.6 CC:
(none) =>
brtians1 The following 13 packages are going to be installed: - lib64ecpg11_6-11.12-1.mga7.x86_64 - lib64pq5-11.12-1.mga7.x86_64 - postgresql11-11.12-1.mga7.x86_64 - postgresql11-contrib-11.12-1.mga7.x86_64 - postgresql11-devel-11.12-1.mga7.x86_64 - postgresql11-docs-11.12-1.mga7.noarch - postgresql11-pl-11.12-1.mga7.x86_64 - postgresql11-plperl-11.12-1.mga7.x86_64 - postgresql11-plpgsql-11.12-1.mga7.x86_64 - postgresql11-plpython-11.12-1.mga7.x86_64 - postgresql11-plpython3-11.12-1.mga7.x86_64 - postgresql11-pltcl-11.12-1.mga7.x86_64 - postgresql11-server-11.12-1.mga7.x86_64 - - -- started postgresql in services sit back and have a cuppa tea while it builds base ----- created table inserted lines select rows updated rows selected rows created index works for me. Whiteboard:
MGA7TOO =>
MGA7TOO MGA7-64-OK MGA8 The following 15 packages are going to be installed: - lib64ecpg11_6-11.12-1.mga8.x86_64 - lib64openssl-devel-1.1.1k-1.mga8.x86_64 - lib64pq5.11-11.12-1.mga8.x86_64 - lib64zlib-devel-1.2.11-9.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - postgresql11-11.12-1.mga8.x86_64 - postgresql11-contrib-11.12-1.mga8.x86_64 - postgresql11-devel-11.12-1.mga8.x86_64 - postgresql11-docs-11.12-1.mga8.noarch - postgresql11-pl-11.12-1.mga8.x86_64 - postgresql11-plperl-11.12-1.mga8.x86_64 - postgresql11-plpgsql-11.12-1.mga8.x86_64 - postgresql11-plpython3-11.12-1.mga8.x86_64 - postgresql11-pltcl-11.12-1.mga8.x86_64 - postgresql11-server-11.12-1.mga8.x86_64 --- started the postgres service --- installed nextcloud 20 and set up apache-php-mod started httpd service --- was able to set up nextcloud with postgresql without any issues. Working as designed for The following 15 packages are going to be installed: - lib64ecpg13_6-13.3-1.mga8.x86_64 - lib64openssl-devel-1.1.1k-1.mga8.x86_64 - lib64pq5-13.3-1.mga8.x86_64 - lib64zlib-devel-1.2.11-9.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - postgresql13-13.3-1.mga8.x86_64 - postgresql13-contrib-13.3-1.mga8.x86_64 - postgresql13-devel-13.3-1.mga8.x86_64 - postgresql13-docs-13.3-1.mga8.noarch - postgresql13-pl-13.3-1.mga8.x86_64 - postgresql13-plperl-13.3-1.mga8.x86_64 - postgresql13-plpgsql-13.3-1.mga8.x86_64 - postgresql13-plpython3-13.3-1.mga8.x86_64 - postgresql13-pltcl-13.3-1.mga8.x86_64 - postgresql13-server-13.3-1.mga8.x86_64 --- repeated the same process for postgresql 11. This was a new install as well. Working as designed. Upgraded from Postgresql 11 to 13 by installation only. - stopped postgres service - ran install of postgresql13.3.1 packages - resumed services system is working. testing a reboot before finalizing approval. system remained functional, but I think still running 11.12, which is okay. At least it didn't damage things. I've tested 9.6 - mga7 11.12 - mga7 11.12 - mga8 13.3 - mga8 All of them are working and functioning. approving this to be pushed. Whiteboard:
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK $ uname -a Linux localhost 5.10.37-desktop-2.mga8 #1 SMP Mon May 17 17:47:02 UTC 2021 i686 i686 i386 GNU/Linux installed postgres13 and confirmed it is working. created table insert update select working for me. Thanks for all that, Brian. Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Aurelien Oudelet
2021-05-23 16:34:47 CEST
CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0221.html Status:
ASSIGNED =>
RESOLVED |