Bug 32823

Summary: postgresql new security issue CVE-2024-0985
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.postgresql.org/about/news/postgresql-162-156-1411-1314-and-1218-released-2807/
Whiteboard: MGA9-64-OK
Source RPM: postgresql15, postgresql13 CVE: CVE-2024-0985
Status comment:

Description Nicolas Salguero 2024-02-09 09:25:30 CET 
PostgreSQL has released new versions on February 8:
https://www.postgresql.org/about/news/postgresql-162-156-1411-1314-and-1218-released-2807/

The issues is fixed upstream in 13.14 and 15.6.

Mageia 9 is also affected.
Nicolas Salguero 2024-02-09 09:25:52 CET

Source RPM: (none) => postgresql15, postgresql13
Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-02-09 09:54:03 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL. (CVE-2024-0985)

References:
https://www.postgresql.org/about/news/postgresql-162-156-1411-1314-and-1218-released-2807/
========================

Updated packages in core/updates_testing:
========================
lib(64)ecpg15_6-15.6-1.mga9
lib(64)pq5-15.6-1.mga9
postgresql15-15.6-1.mga9
postgresql15-contrib-15.6-1.mga9
postgresql15-devel-15.6-1.mga9
postgresql15-docs-15.6-1.mga9
postgresql15-pl-15.6-1.mga9
postgresql15-plperl-15.6-1.mga9
postgresql15-plpgsql-15.6-1.mga9
postgresql15-plpython3-15.6-1.mga9
postgresql15-pltcl-15.6-1.mga9
postgresql15-server-15.6-1.mga9

lib(64)ecpg13_6-13.14-1.mga9
lib(64)pq5.13-13.14-1.mga9
postgresql13-13.14-1.mga9
postgresql13-contrib-13.14-1.mga9
postgresql13-devel-13.14-1.mga9
postgresql13-docs-13.14-1.mga9
postgresql13-pl-13.14-1.mga9
postgresql13-plperl-13.14-1.mga9
postgresql13-plpgsql-13.14-1.mga9
postgresql13-plpython3-13.14-1.mga9
postgresql13-pltcl-13.14-1.mga9
postgresql13-server-13.14-1.mga9

from SRPMS:
postgresql15-15.6-1.mga9.src.rpm
postgresql13-13.14-1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA9TOO => (none)
CVE: (none) => CVE-2024-0985
Status: NEW => ASSIGNED
Version: Cauldron => 9

Marja Van Waes 2024-02-10 21:40:58 CET

URL: (none) => https://www.postgresql.org/about/news/postgresql-162-156-1411-1314-and-1218-released-2807/
Keywords: (none) => advisory
CC: (none) => marja11

Comment 2 Brian Rockwell 2024-02-14 17:38:34 CET 
MGA9-64, Vbox

The following 14 packages are going to be installed:

- lib64ecpg15_6-15.6-1.mga9.x86_64
- lib64openssl-devel-3.0.12-1.1.mga9.x86_64
- lib64pq5-15.6-1.mga9.x86_64
- lib64zlib-devel-1.2.13-1.2.mga9.x86_64
- postgresql15-15.6-1.mga9.x86_64
- postgresql15-contrib-15.6-1.mga9.x86_64
- postgresql15-devel-15.6-1.mga9.x86_64
- postgresql15-docs-15.6-1.mga9.noarch
- postgresql15-pl-15.6-1.mga9.x86_64
- postgresql15-plperl-15.6-1.mga9.x86_64
- postgresql15-plpgsql-15.6-1.mga9.x86_64
- postgresql15-plpython3-15.6-1.mga9.x86_64
- postgresql15-pltcl-15.6-1.mga9.x86_64
- postgresql15-server-15.6-1.mga9.x86_64

---

started service

 psql
could not change directory to "/home/brian": Permission denied
psql (15.6)
Type "help" for help.

postgres=# create database mageia
postgres-# ;
CREATE DATABASE
postgres=# \c mageia
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
insert into mag_versions values ('8', '2-Feb-2021');
INSERT 0 1
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
insert into mag_versions values ('10', '2-Aug-2024');
INSERT 0 1
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
 9    | 2023-08-26
 10   | 2024-08-02
(4 rows)

mageia=#


\q

Working as expected on my slight test

CC: (none) => brtians1

Comment 3 Brian Rockwell 2024-02-14 19:05:53 CET 
MGA9-64, Vbox - new build

The following 14 packages are going to be installed:

- lib64ecpg13_6-13.14-1.mga9.x86_64
- lib64openssl-devel-3.0.12-1.1.mga9.x86_64
- lib64pq5.13-13.14-1.mga9.x86_64
- lib64zlib-devel-1.2.13-1.2.mga9.x86_64
- postgresql13-13.14-1.mga9.x86_64
- postgresql13-contrib-13.14-1.mga9.x86_64
- postgresql13-devel-13.14-1.mga9.x86_64
- postgresql13-docs-13.14-1.mga9.noarch
- postgresql13-pl-13.14-1.mga9.x86_64
- postgresql13-plperl-13.14-1.mga9.x86_64
- postgresql13-plpgsql-13.14-1.mga9.x86_64
- postgresql13-plpython3-13.14-1.mga9.x86_64
- postgresql13-pltcl-13.14-1.mga9.x86_64
- postgresql13-server-13.14-1.mga9.x86_64

84MB of additional disk space will be used.

24MB of packages will be retrieved.

- started services

# create database mageia;
CREATE DATABASE
postgres=# \c mageia;
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
insert into mag_versions values ('8', '2-Feb-2021');
INSERT 0 1
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# insert into mag_versions values ('10', '2-Aug-2024');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
 10   | 2024-08-02
(3 rows)

mageia=# delete mag_versions where name = '10'
mageia-# ;
ERROR:  syntax error at or near "mag_versions"
LINE 1: delete mag_versions where name = '10'
               ^
mageia=# delete from mag_versions where name = '10'
;
DELETE 1
mageia=# select * from mag_versions;
 name |  cr_date
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)


working as expected

Anybody have an ugprade they can do?
katnatek 2024-02-19 02:10:25 CET

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-02-19 02:10:49 CET

CC: (none) => andrewsfarm

Comment 4 katnatek 2024-02-19 02:12:02 CET 
Thomas you decide
Comment 5 Brian Rockwell 2024-02-19 04:15:15 CET 
Postgres15 - MGA9-64, Nextcloud

Nextcloud 

postgres - upgrade from 15.5

Works as expected
Comment 6 Thomas Andrews 2024-02-19 13:52:17 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2024-02-19 18:36:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0043.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED