Bug 9617

Fixed in Cauldron:
postgresql8.4-8.4.17-1.mga3
postgresql9.0-9.0.13-1.mga3
postgresql9.1-9.1.9-1.mga3
postgresql9.2-9.2.4-1.mga3

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Updated packages uploaded for Mageia 2.  Thanks Funda!

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x
before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a
denial of service (file corruption), and allows remote authenticated users
to modify configuration settings and execute arbitrary code, via a
connection request using a database name that begins with a "-" (hyphen)
(CVE-2013-1899).

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and
8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random
numbers, which might allow remote authenticated users to have an unspecified
impact via vectors related to the "contrib/pgcrypto functions"
(CVE-2013-1900).

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check
REPLICATION privileges, which allows remote authenticated users to bypass
intended backup restrictions by calling the (1) pg_start_backup or (2)
pg_stop_backup functions (CVE-2013-1901).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901
http://www.postgresql.org/about/news/1456/
http://www.ubuntu.com/usn/usn-1789-1/
========================

Updated packages in core/updates_testing:
========================
postgresql8.4-8.4.17-1.mga2
libpq8.4_5-8.4.17-1.mga2
libecpg8.4_6-8.4.17-1.mga2
postgresql8.4-server-8.4.17-1.mga2
postgresql8.4-docs-8.4.17-1.mga2
postgresql8.4-contrib-8.4.17-1.mga2
postgresql8.4-devel-8.4.17-1.mga2
postgresql8.4-pl-8.4.17-1.mga2
postgresql8.4-plpython-8.4.17-1.mga2
postgresql8.4-plperl-8.4.17-1.mga2
postgresql8.4-pltcl-8.4.17-1.mga2
postgresql8.4-plpgsql-8.4.17-1.mga2
postgresql9.0-9.0.13-1.mga2
libpq9.0_5-9.0.13-1.mga2
libecpg9.0_6-9.0.13-1.mga2
postgresql9.0-server-9.0.13-1.mga2
postgresql9.0-docs-9.0.13-1.mga2
postgresql9.0-contrib-9.0.13-1.mga2
postgresql9.0-devel-9.0.13-1.mga2
postgresql9.0-pl-9.0.13-1.mga2
postgresql9.0-plpython-9.0.13-1.mga2
postgresql9.0-plperl-9.0.13-1.mga2
postgresql9.0-pltcl-9.0.13-1.mga2
postgresql9.0-plpgsql-9.0.13-1.mga2
postgresql9.1-9.1.9-1.mga2
libpq9.1_5-9.1.9-1.mga2
libecpg9.1_6-9.1.9-1.mga2
postgresql9.1-server-9.1.9-1.mga2
postgresql9.1-docs-9.1.9-1.mga2
postgresql9.1-contrib-9.1.9-1.mga2
postgresql9.1-devel-9.1.9-1.mga2
postgresql9.1-pl-9.1.9-1.mga2
postgresql9.1-plpython-9.1.9-1.mga2
postgresql9.1-plperl-9.1.9-1.mga2
postgresql9.1-pltcl-9.1.9-1.mga2
postgresql9.1-plpgsql-9.1.9-1.mga2

from SRPMS:
postgresql8.4-8.4.17-1.mga2.src.rpm
postgresql9.0-9.0.13-1.mga2.src.rpm
postgresql9.1-9.1.9-1.mga2.src.rpm

CC: (none) => fundawang
Assignee: fundawang => qa-bugs
Severity: normal => critical

Procedure: https://bugs.mageia.org/show_bug.cgi?id=8997#c1

Testing mga2 32

Whiteboard: (none) => has_procedure

Testing complete mga2 32

Source RPM: postgresql9.2, postgresql9.1, postgresql9.0, postgresql8.4 => postgresql9.1, postgresql9.0, postgresql8.4
Whiteboard: has_procedure => has_procedure mga2-32-OK

testing complete for 9.1, 9.0 and 8.4 using procedure from comment 3 for x86_64

validating updates.

see comment 2 for advisory and SRPMS.

Could sysadmin push packages to Updates?

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-32-OK => has_procedure, MGA2-32-OK, MGA2-64-OK
CC: (none) => sysadmin-bugs

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0112

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED