| Summary: | postgresql new security issue CVE-2022-41862 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, herman.viaene, joequant, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK MGA8-32-OK | ||
| Source RPM: | postgresql13, postgresql11 | CVE: | CVE-2022-41862 |
| Status comment: | |||
|
Description
David Walser
2023-02-09 17:33:23 CET
David Walser
2023-02-09 17:33:39 CET
Whiteboard:
(none) =>
MGA8TOO Assigning to the registered postgresql15 maintainer, CC'ing the registered postgresql13 maintainer. CC:
(none) =>
joequant, marja11 Suggested advisory: ======================== The updated packages fix some bugs and a security vulnerability, for postgresql13: Client memory disclosure when connecting, with Kerberos, to modified server. (CVE-2022-41862) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41862 https://www.postgresql.org/about/news/postgresql-152-147-1310-1214-and-1119-released-2592/ ======================== Updated packages in core/updates_testing: ======================== lib(64)pq5.11-11.19-1.mga8 lib(64)ecpg11_6-11.19-1.mga8 postgresql11-11.19-1.mga8 postgresql11-contrib-11.19-1.mga8 postgresql11-devel-11.19-1.mga8 postgresql11-docs-11.19-1.mga8 postgresql11-pl-11.19-1.mga8 postgresql11-plperl-11.19-1.mga8 postgresql11-plpgsql-11.19-1.mga8 postgresql11-plpython3-11.19-1.mga8 postgresql11-pltcl-11.19-1.mga8 postgresql11-server-11.19-1.mga8 lib(64)pq5-13.10-1.mga8 lib(64)ecpg13_6-13.10-1.mga8 postgresql13-13.10-1.mga8 postgresql13-contrib-13.10-1.mga8 postgresql13-devel-13.10-1.mga8 postgresql13-docs-13.10-1.mga8 postgresql13-pl-13.10-1.mga8 postgresql13-plperl-13.10-1.mga8 postgresql13-plpgsql-13.10-1.mga8 postgresql13-plpython3-13.10-1.mga8 postgresql13-pltcl-13.10-1.mga8 postgresql13-server-13.10-1.mga8 from SRPMS: postgresql11-11.19-1.mga8.src.rpm postgresql13-13.10-1.mga8.src.rpm Status comment:
Fixed upstream in 13.10 and 15.2 =>
(none) MGA8-64 MATE on Acer Aspire 5253 Installation issue : on this laptop both versions 11 and 13 are installed since previous versions. Now when selecting the 11's I get: "Sorry, the following package cannot be selected: - postgresql11-pl-11.19-1.mga8.x86_64 (due to conflicts with postgresql13-plpgsql-13.10-1.mga8.x86_64)" CC:
(none) =>
herman.viaene Hi, I have verified that this is not a new behaviour: I got the same message even with postgresql11-pl-11.10-2.mga8 and postgresql13-plpgsql-13.1-4.mga8. Best regards, Nico. Installed 13 and used pgadmin4 to delete a test database from previous tests, create a new one, create a table with an automatic filled primary key, a unique index on another column and a time stamp, entered some data, all works OK. I did not test the 11 since I'm weary abour running two versions on a single machine. Never had 11 installed. $ uname -a
Linux localhost 5.15.88-desktop-1.mga8 #1 SMP Sat Jan 14 15:00:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
The following 15 packages are going to be installed:
- lib64ecpg11_6-11.19-1.mga8.x86_64
- lib64openssl-devel-1.1.1q-1.mga8.x86_64
- lib64pq5.11-11.19-1.mga8.x86_64
- lib64zlib-devel-1.2.12-1.3.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql11-11.19-1.mga8.x86_64
- postgresql11-contrib-11.19-1.mga8.x86_64
- postgresql11-devel-11.19-1.mga8.x86_64
- postgresql11-docs-11.19-1.mga8.noarch
- postgresql11-pl-11.19-1.mga8.x86_64
- postgresql11-plperl-11.19-1.mga8.x86_64
- postgresql11-plpgsql-11.19-1.mga8.x86_64
- postgresql11-plpython3-11.19-1.mga8.x86_64
- postgresql11-pltcl-11.19-1.mga8.x86_64
- postgresql11-server-11.19-1.mga8.x86_64
started the service
# create database mageia8;
CREATE DATABASE
# create table mageia_versions (version varchar(25), available date);
CREATE TABLE
mageia8=# insert into mageia_versions values ('MGA1', '2011-06-01');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA2', '2012-05-22');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA3', '2013-05-19');
INSERT 0 1
mageia8=# create index mindex on mageia_versions(version);
CREATE INDEX
mageia8=# insert into mageia_versions values ('MGA4', '2014-02-1');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA5', '2015-06-19');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA5.1', '2016-12-2');
INSERT 0 1
# select * from mageia_versions;
version | available
---------+------------
MGA1 | 2011-06-01
MGA2 | 2012-05-22
MGA3 | 2013-05-19
MGA4 | 2014-02-01
MGA5 | 2015-06-19
MGA5.1 | 2016-12-02
mageia8=# insert into mageia_versions values ('test', '2023-2-22');
INSERT 0 1
mageia8=# select *
mageia8-# ;
ERROR: SELECT * with no tables specified is not valid
LINE 1: select *
^
mageia8=# select * from mageia_versions;
version | available
---------+------------
MGA1 | 2011-06-01
MGA2 | 2012-05-22
MGA3 | 2013-05-19
MGA4 | 2014-02-01
MGA5 | 2015-06-19
MGA5.1 | 2016-12-02
test | 2023-02-22
(7 rows)
mageia8=# delete from mageia_versions
mageia8-# where version = 'test';
DELETE 1
mageia8=# select * from mageia_versions;
version | available
---------+------------
MGA1 | 2011-06-01
MGA2 | 2012-05-22
MGA3 | 2013-05-19
MGA4 | 2014-02-01
MGA5 | 2015-06-19
MGA5.1 | 2016-12-02
(6 rows)
mageia8=# insert into mageia_versions values ('MGA6', '2017-7-16');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA6.1', '2018-7-16');
INSERT 0 1
mageia8=# update mageia_versions set available = '2018-10-05'
mageia8-# where version = 'MGA6.1';
UPDATE 1
mageia8=# select * from mageia_versions;
version | available
---------+------------
MGA1 | 2011-06-01
MGA2 | 2012-05-22
MGA3 | 2013-05-19
MGA4 | 2014-02-01
MGA5 | 2015-06-19
MGA5.1 | 2016-12-02
MGA6 | 2017-07-16
MGA6.1 | 2018-10-05
(8 rows)
working for me in basic tests.CC:
(none) =>
brtians1 With the two versions tested, giving the OK. Whiteboard:
(none) =>
MGA8-64-OK $ uname -a
Linux localhost.localdomain 5.15.88-desktop-1.mga8 #1 SMP Sat Jan 14 15:35:24 UTC 2023 i686 i686 i386 GNU/Linux
The following 15 packages are going to be installed:
- libecpg13_6-13.10-1.mga8.i586
- libopenssl-devel-1.1.1q-1.mga8.i586
- libpq5-13.10-1.mga8.i586
- libzlib-devel-1.2.12-1.3.mga8.i586
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql13-13.10-1.mga8.i586
- postgresql13-contrib-13.10-1.mga8.i586
- postgresql13-devel-13.10-1.mga8.i586
- postgresql13-docs-13.10-1.mga8.noarch
- postgresql13-pl-13.10-1.mga8.i586
- postgresql13-plperl-13.10-1.mga8.i586
- postgresql13-plpgsql-13.10-1.mga8.i586
- postgresql13-plpython3-13.10-1.mga8.i586
- postgresql13-pltcl-13.10-1.mga8.i586
- postgresql13-server-13.10-1.mga8.i586
started service
# su - postgres
[postgres@localhost ~]$ psql -versionexi
psql (13.10)
well it runs
------
postgres=# create database mageia
postgres-# ;
CREATE DATABASE
postgres=# \connect mageia
You are now connected to database "mageia" as user "postgres".
mageia=# create table mageia_versions;
ERROR: syntax error at or near ";"
LINE 1: create table mageia_versions;
^
mageia=# create table mageia_versions (version varchar(25), available date);
CREATE TABLE
mageia=#
seems to respondWhiteboard:
MGA8-64-OK =>
MGA8-64-OK MGA8-32-OK Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2023-02-25 20:26:19 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0064.html Resolution:
(none) =>
FIXED |