| Summary: | postgresql new security issues CVE-2021-23214 and CVE-2021-23222 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | postgresql11-11.13-1.mga8.src.rpm, postgresql13-13.4-1.mga8.src.rpm | CVE: | CVE-2021-23214, CVE-2021-23222 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 29681 | ||
|
Description
David Walser
2021-11-12 21:35:40 CET
David Walser
2021-11-12 21:35:50 CET
Whiteboard:
(none) =>
MGA8TOO Suggested advisory: ======================== The updated packages fix security vulnerabilities: Server processes unencrypted bytes from man-in-the-middle. (CVE-2021-23214) libpq processes unencrypted bytes from man-in-the-middle. (CVE-2021-23222) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23214 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23222 https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/ ======================== Updated packages in core/updates_testing: ======================== lib(64)pq5.11-11.14-1.mga8 lib(64)ecpg11_6-11.14-1.mga8 postgresql11-11.14-1.mga8 postgresql11-contrib-11.14-1.mga8 postgresql11-devel-11.14-1.mga8 postgresql11-docs-11.14-1.mga8 postgresql11-pl-11.14-1.mga8 postgresql11-plperl-11.14-1.mga8 postgresql11-plpgsql-11.14-1.mga8 postgresql11-plpython3-11.14-1.mga8 postgresql11-pltcl-11.14-1.mga8 postgresql11-server-11.14-1.mga8 lib(64)pq5-13.5-1.mga8 lib(64)ecpg13_6-13.5-1.mga8 postgresql13-13.5-1.mga8 postgresql13-contrib-13.5-1.mga8 postgresql13-devel-13.5-1.mga8 postgresql13-docs-13.5-1.mga8 postgresql13-pl-13.5-1.mga8 postgresql13-plperl-13.5-1.mga8 postgresql13-plpgsql-13.5-1.mga8 postgresql13-plpython3-13.5-1.mga8 postgresql13-pltcl-13.5-1.mga8 postgresql13-server-13.5-1.mga8 from SRPMS: postgresql11-11.14-1.mga8.src.rpm postgresql13-13.5-1.mga8.src.rpm CVE:
(none) =>
CVE-2021-23214, CVE-2021-23222 MGA8-64 Plasma on Lenovo B50 Installed first 11 version without problems Replicated test from bug 29369 Comment 4 without problems Removing version 11 and installing 13, to be continued. CC:
(none) =>
herman.viaene Repeated test for version 13 with same OK results.
Marja Van Waes
2021-11-23 21:50:05 CET
Blocks:
(none) =>
29681 With postgresql11, as reported in bug 29681 ... php-pgsql-8.0.13-1.mga8.i586 (due to unsatisfied postgresql-libs[>= 13.5]) That's after installing the updateed postgresql11 from this report using qarepo. Either php-pgsql has to be fixed to work with postgresql11, or as a workaround, postgresql11 needs to add a provides that works with php-pgsql. Adding feedback tag till a decision is reached. Whiteboard:
(none) =>
feedback php-pgsql works with 13, not 11. Also it's part of php, not postgresql. We only have 11 packaged to support migration from Mageia 7. Whiteboard:
feedback =>
(none) In that case, validating the update. Both 11 and 13 install cleanly over the prior versions and the service restarts ok. Actually validating. Keywords:
(none) =>
validated_update
Dave Hodgins
2021-11-25 05:27:55 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0523.html Resolution:
(none) =>
FIXED |