| Summary: | postgresql new security issues CVE-2023-3941[78] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA8-64-OK MGA9-64-OK MGA9-32-OK | ||
| Source RPM: | postgresql15, postgresql13, postgresql11 | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2023-09-04 16:44:10 CEST
Nicolas Salguero
2023-09-04 16:44:40 CEST
Source RPM:
(none) =>
postgresql15, postgresql13, postgresql11 Suggested advisory: ======================== The updated packages fix security vulnerabilities: Extension script @substitutions@ within quoting allow SQL injection. (CVE-2023-39417) MERGE fails to enforce UPDATE or SELECT row security policies. (CVE-2023-39418) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39417 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39418 https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)ecpg13_6-13.12-1.mga8 lib(64)pq5-13.12-1.mga8 postgresql13-13.12-1.mga8 postgresql13-contrib-13.12-1.mga8 postgresql13-devel-13.12-1.mga8 postgresql13-docs-13.12-1.mga8 postgresql13-pl-13.12-1.mga8 postgresql13-plperl-13.12-1.mga8 postgresql13-plpgsql-13.12-1.mga8 postgresql13-plpython3-13.12-1.mga8 postgresql13-pltcl-13.12-1.mga8 postgresql13-server-13.12-1.mga8 lib(64)ecpg11_6-11.21-1.mga8 lib(64)pq5.11-11.21-1.mga8 postgresql11-11.21-1.mga8 postgresql11-contrib-11.21-1.mga8 postgresql11-devel-11.21-1.mga8 postgresql11-docs-11.21-1.mga8 postgresql11-pl-11.21-1.mga8 postgresql11-plperl-11.21-1.mga8 postgresql11-plpgsql-11.21-1.mga8 postgresql11-plpython3-11.21-1.mga8 postgresql11-pltcl-11.21-1.mga8 postgresql11-server-11.21-1.mga8 from SRPMS: postgresql13-13.12-1.mga8.src.rpm postgresql11-11.21-1.mga8.src.rpm Updated packages in 9/core/updates_testing: ======================== lib(64)ecpg15_6-15.4-1.mga9 lib(64)pq5-15.4-1.mga9 postgresql15-15.4-1.mga9 postgresql15-contrib-15.4-1.mga9 postgresql15-devel-15.4-1.mga9 postgresql15-docs-15.4-1.mga9 postgresql15-pl-15.4-1.mga9 postgresql15-plperl-15.4-1.mga9 postgresql15-plpgsql-15.4-1.mga9 postgresql15-plpython3-15.4-1.mga9 postgresql15-pltcl-15.4-1.mga9 postgresql15-server-15.4-1.mga9 lib(64)ecpg13_6-13.12-1.mga9 lib(64)pq5.13-13.12-1.mga9 postgresql13-13.12-1.mga9 postgresql13-contrib-13.12-1.mga9 postgresql13-devel-13.12-1.mga9 postgresql13-docs-13.12-1.mga9 postgresql13-pl-13.12-1.mga9 postgresql13-plperl-13.12-1.mga9 postgresql13-plpgsql-13.12-1.mga9 postgresql13-plpython3-13.12-1.mga9 postgresql13-pltcl-13.12-1.mga9 postgresql13-server-13.12-1.mga9 from SRPMS: postgresql15-15.4-1.mga9.src.rpm postgresql13-13.12-1.mga9.src.rpm Assignee:
nicolas.salguero =>
qa-bugs MGA9-64, Gnome, Nextcloud, Intel (legacy) This is an upgrade from 15.3 The following 4 packages are going to be installed: - lib64pq5-15.4-1.mga9.x86_64 - postgresql15-15.4-1.mga9.x86_64 - postgresql15-plpgsql-15.4-1.mga9.x86_64 - postgresql15-server-15.4-1.mga9.x86_64 77KB of additional disk space will be used. rebooted Nextcloud working CC:
(none) =>
brtians1 Fresh install MGA8-64, Mate
The following 17 packages are going to be installed:
- lib64ecpg11_6-11.21-1.mga8.x86_64
- lib64openssl-devel-1.1.1v-1.mga8.x86_64
- lib64openssl1.1-1.1.1v-1.mga8.x86_64
- lib64pq5.11-11.21-1.mga8.x86_64
- lib64zlib-devel-1.2.12-1.3.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- openssl-1.1.1v-1.mga8.x86_64
- postgresql11-11.21-1.mga8.x86_64
- postgresql11-contrib-11.21-1.mga8.x86_64
- postgresql11-devel-11.21-1.mga8.x86_64
- postgresql11-docs-11.21-1.mga8.noarch
- postgresql11-pl-11.21-1.mga8.x86_64
- postgresql11-plperl-11.21-1.mga8.x86_64
- postgresql11-plpgsql-11.21-1.mga8.x86_64
- postgresql11-plpython3-11.21-1.mga8.x86_64
- postgresql11-pltcl-11.21-1.mga8.x86_64
- postgresql11-server-11.21-1.mga8.x86_64
81MB of additional disk space will be used.
started service
su into postgres ID
psql
create database mageia;
\c mageia;
create table mag_versions (name varchar(12), cr_date date);
insert into mag_versions values ('9', '26-Aug-2023');
insert into mag_versions values ('8', '2-Feb-2021');
select * from mag_versions;
name | cr_date
------+------------
9 | 2023-08-26
8 | 2021-02-02
(2 rows)
create index magidx on mag_versions(name);
\quit
All of these commands are working.
Works for me
MGA8-64
New build
The following 17 packages are going to be installed:
- lib64ecpg13_6-13.12-1.mga8.x86_64
- lib64openssl-devel-1.1.1v-1.mga8.x86_64
- lib64openssl1.1-1.1.1v-1.mga8.x86_64
- lib64pq5-13.12-1.mga8.x86_64
- lib64zlib-devel-1.2.12-1.3.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- openssl-1.1.1v-1.mga8.x86_64
- postgresql13-13.12-1.mga8.x86_64
- postgresql13-contrib-13.12-1.mga8.x86_64
- postgresql13-devel-13.12-1.mga8.x86_64
- postgresql13-docs-13.12-1.mga8.noarch
- postgresql13-pl-13.12-1.mga8.x86_64
- postgresql13-plperl-13.12-1.mga8.x86_64
- postgresql13-plpgsql-13.12-1.mga8.x86_64
- postgresql13-plpython3-13.12-1.mga8.x86_64
- postgresql13-pltcl-13.12-1.mga8.x86_64
- postgresql13-server-13.12-1.mga8.x86_64
86MB of additional disk space will be used.
started service
psql
postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia;
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '2-May-2021');
INSERT 0 1
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# select * from mag_versions;
name | cr_date
------+------------
9 | 2023-08-26
8 | 2021-05-02
(2 rows)
working as expected
Brian Rockwell
2023-09-07 04:01:14 CEST
Whiteboard:
MGA8TOO =>
MGA8TOO MGA8-64-OK MGA9-64
The following 17 packages are going to be installed:
- lib64ecpg13_6-13.12-1.mga9.x86_64
- lib64openssl-devel-3.0.10-1.mga9.x86_64
- lib64openssl3-3.0.10-1.mga9.x86_64
- lib64pq5.13-13.12-1.mga9.x86_64
- lib64zlib-devel-1.2.13-1.mga9.x86_64
- multiarch-utils-1.0.15-1.mga9.noarch
- openssl-3.0.10-1.mga9.x86_64
- postgresql13-13.12-1.mga9.x86_64
- postgresql13-contrib-13.12-1.mga9.x86_64
- postgresql13-devel-13.12-1.mga9.x86_64
- postgresql13-docs-13.12-1.mga9.noarch
- postgresql13-pl-13.12-1.mga9.x86_64
- postgresql13-plperl-13.12-1.mga9.x86_64
- postgresql13-plpgsql-13.12-1.mga9.x86_64
- postgresql13-plpython3-13.12-1.mga9.x86_64
- postgresql13-pltcl-13.12-1.mga9.x86_64
- postgresql13-server-13.12-1.mga9.x86_64
84MB of additional disk space will be used.
su'd to postgres
psql
postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia;
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '21-May-2021');
INSERT 0 1
mageia=# select * from mag_versions;
name | cr_date
------+------------
9 | 2023-08-26
8 | 2021-05-21
(2 rows)Whiteboard:
MGA8TOO MGA8-64-OK =>
MGA8TOO MGA8-64-OK MGA9-64-OK MGA9-32
The following 20 packages are going to be installed:
- glibc-devel-2.36-45.mga9.i586
- kernel-userspace-headers-6.4.14-1.mga9.i586
- libecpg13_6-13.12-1.mga9.i586
- libopenssl-devel-3.0.10-1.mga9.i586
- libopenssl3-3.0.10-1.mga9.i586
- libpq5.13-13.12-1.mga9.i586
- libxcrypt-devel-4.4.33-3.mga9.i586
- libzlib-devel-1.2.13-1.mga9.i586
- multiarch-utils-1.0.15-1.mga9.noarch
- openssl-3.0.10-1.mga9.i586
- postgresql13-13.12-1.mga9.i586
- postgresql13-contrib-13.12-1.mga9.i586
- postgresql13-devel-13.12-1.mga9.i586
- postgresql13-docs-13.12-1.mga9.noarch
- postgresql13-pl-13.12-1.mga9.i586
- postgresql13-plperl-13.12-1.mga9.i586
- postgresql13-plpgsql-13.12-1.mga9.i586
- postgresql13-plpython3-13.12-1.mga9.i586
- postgresql13-pltcl-13.12-1.mga9.i586
- postgresql13-server-13.12-1.mga9.i586
92MB of additional disk space will be used.
started service
psql (13.12)
Type "help" for help.
postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# insert into mag_versions values ('9', '28-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '2-May-2021');
INSERT 0 1
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# select * from mag_versions;
name | cr_date
------+------------
9 | 2023-08-28
8 | 2021-05-02
(2 rows)
mageia=# \q
32-bit working as expected, stopping here.
Brian Rockwell
2023-09-07 05:13:23 CEST
Whiteboard:
MGA8TOO MGA8-64-OK MGA9-64-OK =>
MGA8TOO MGA8-64-OK MGA9-64-OK MGA9-32-OK Validating. Advisory in comment 1. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-09-11 02:52:51 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0261.html Resolution:
(none) =>
FIXED |