Upstream has issued an advisory on February 5: http://www.postgresql.org/about/news/1569/ Debian has issued an advisory for this today (February 6): https://lists.debian.org/debian-security-announce/2015/msg00038.html Mageia 4 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => cjwWhiteboard: (none) => MGA4TOO
Blocks: (none) => 14674
Fixed in cauldron for postgresql9.1 postgresql9.2 postgresql9.3 postgresql9.4 Fixed in mga4 for postgresql9.0 postgresql9.1 postgresql9.2 postgresql9.3 Packages for cauldron needs someone to submit them. Cheers.
CC: (none) => oe
Updated packages are ready for testing. MGA4 SRPMs: postgresql9.0-9.0.19-1.mga4.src.rpm postgresql9.1-9.1.15-1.mga4.src.rpm postgresql9.2-9.2.10-1.mga4.src.rpm postgresql9.3-9.3.6-1.mga4.src.rpm RPMS: postgresql9.0-9.0.19-1.mga4.i586.rpm libpq9.0_5.3-9.0.19-1.mga4.i586.rpm libecpg9.0_6-9.0.19-1.mga4.i586.rpm postgresql9.0-server-9.0.19-1.mga4.i586.rpm postgresql9.0-docs-9.0.19-1.mga4.noarch.rpm postgresql9.0-contrib-9.0.19-1.mga4.i586.rpm postgresql9.0-devel-9.0.19-1.mga4.i586.rpm postgresql9.0-pl-9.0.19-1.mga4.i586.rpm postgresql9.0-plpython-9.0.19-1.mga4.i586.rpm postgresql9.0-plperl-9.0.19-1.mga4.i586.rpm postgresql9.0-pltcl-9.0.19-1.mga4.i586.rpm postgresql9.0-plpgsql-9.0.19-1.mga4.i586.rpm postgresql9.1-9.1.15-1.mga4.i586.rpm libpq9.1_5.4-9.1.15-1.mga4.i586.rpm libecpg9.1_6-9.1.15-1.mga4.i586.rpm postgresql9.1-server-9.1.15-1.mga4.i586.rpm postgresql9.1-docs-9.1.15-1.mga4.noarch.rpm postgresql9.1-contrib-9.1.15-1.mga4.i586.rpm postgresql9.1-devel-9.1.15-1.mga4.i586.rpm postgresql9.1-pl-9.1.15-1.mga4.i586.rpm postgresql9.1-plpython-9.1.15-1.mga4.i586.rpm postgresql9.1-plperl-9.1.15-1.mga4.i586.rpm postgresql9.1-pltcl-9.1.15-1.mga4.i586.rpm postgresql9.1-plpgsql-9.1.15-1.mga4.i586.rpm postgresql9.2-9.2.10-1.mga4.i586.rpm libpq9.2_5.5-9.2.10-1.mga4.i586.rpm libecpg9.2_6-9.2.10-1.mga4.i586.rpm postgresql9.2-server-9.2.10-1.mga4.i586.rpm postgresql9.2-docs-9.2.10-1.mga4.noarch.rpm postgresql9.2-contrib-9.2.10-1.mga4.i586.rpm postgresql9.2-devel-9.2.10-1.mga4.i586.rpm postgresql9.2-pl-9.2.10-1.mga4.i586.rpm postgresql9.2-plpython-9.2.10-1.mga4.i586.rpm postgresql9.2-plperl-9.2.10-1.mga4.i586.rpm postgresql9.2-pltcl-9.2.10-1.mga4.i586.rpm postgresql9.2-plpgsql-9.2.10-1.mga4.i586.rpm postgresql9.3-9.3.6-1.mga4.i586.rpm libpq9.3_5-9.3.6-1.mga4.i586.rpm libecpg9.3_6-9.3.6-1.mga4.i586.rpm postgresql9.3-server-9.3.6-1.mga4.i586.rpm postgresql9.3-docs-9.3.6-1.mga4.noarch.rpm postgresql9.3-contrib-9.3.6-1.mga4.i586.rpm postgresql9.3-devel-9.3.6-1.mga4.i586.rpm postgresql9.3-pl-9.3.6-1.mga4.i586.rpm postgresql9.3-plpython-9.3.6-1.mga4.i586.rpm postgresql9.3-plperl-9.3.6-1.mga4.i586.rpm postgresql9.3-pltcl-9.3.6-1.mga4.i586.rpm postgresql9.3-plpgsql-9.3.6-1.mga4.i586.rpm postgresql9.0-9.0.19-1.mga4.x86_64.rpm lib64pq9.0_5.3-9.0.19-1.mga4.x86_64.rpm lib64ecpg9.0_6-9.0.19-1.mga4.x86_64.rpm postgresql9.0-server-9.0.19-1.mga4.x86_64.rpm postgresql9.0-docs-9.0.19-1.mga4.noarch.rpm postgresql9.0-contrib-9.0.19-1.mga4.x86_64.rpm postgresql9.0-devel-9.0.19-1.mga4.x86_64.rpm postgresql9.0-pl-9.0.19-1.mga4.x86_64.rpm postgresql9.0-plpython-9.0.19-1.mga4.x86_64.rpm postgresql9.0-plperl-9.0.19-1.mga4.x86_64.rpm postgresql9.0-pltcl-9.0.19-1.mga4.x86_64.rpm postgresql9.0-plpgsql-9.0.19-1.mga4.x86_64.rpm postgresql9.1-9.1.15-1.mga4.x86_64.rpm lib64pq9.1_5.4-9.1.15-1.mga4.x86_64.rpm lib64ecpg9.1_6-9.1.15-1.mga4.x86_64.rpm postgresql9.1-server-9.1.15-1.mga4.x86_64.rpm postgresql9.1-docs-9.1.15-1.mga4.noarch.rpm postgresql9.1-contrib-9.1.15-1.mga4.x86_64.rpm postgresql9.1-devel-9.1.15-1.mga4.x86_64.rpm postgresql9.1-pl-9.1.15-1.mga4.x86_64.rpm postgresql9.1-plpython-9.1.15-1.mga4.x86_64.rpm postgresql9.1-plperl-9.1.15-1.mga4.x86_64.rpm postgresql9.1-pltcl-9.1.15-1.mga4.x86_64.rpm postgresql9.1-plpgsql-9.1.15-1.mga4.x86_64.rpm postgresql9.2-9.2.10-1.mga4.x86_64.rpm lib64pq9.2_5.5-9.2.10-1.mga4.x86_64.rpm lib64ecpg9.2_6-9.2.10-1.mga4.x86_64.rpm postgresql9.2-server-9.2.10-1.mga4.x86_64.rpm postgresql9.2-docs-9.2.10-1.mga4.noarch.rpm postgresql9.2-contrib-9.2.10-1.mga4.x86_64.rpm postgresql9.2-devel-9.2.10-1.mga4.x86_64.rpm postgresql9.2-pl-9.2.10-1.mga4.x86_64.rpm postgresql9.2-plpython-9.2.10-1.mga4.x86_64.rpm postgresql9.2-plperl-9.2.10-1.mga4.x86_64.rpm postgresql9.2-pltcl-9.2.10-1.mga4.x86_64.rpm postgresql9.2-plpgsql-9.2.10-1.mga4.x86_64.rpm postgresql9.3-9.3.6-1.mga4.x86_64.rpm lib64pq9.3_5-9.3.6-1.mga4.x86_64.rpm lib64ecpg9.3_6-9.3.6-1.mga4.x86_64.rpm postgresql9.3-server-9.3.6-1.mga4.x86_64.rpm postgresql9.3-docs-9.3.6-1.mga4.noarch.rpm postgresql9.3-contrib-9.3.6-1.mga4.x86_64.rpm postgresql9.3-devel-9.3.6-1.mga4.x86_64.rpm postgresql9.3-pl-9.3.6-1.mga4.x86_64.rpm postgresql9.3-plpython-9.3.6-1.mga4.x86_64.rpm postgresql9.3-plperl-9.3.6-1.mga4.x86_64.rpm postgresql9.3-pltcl-9.3.6-1.mga4.x86_64.rpm postgresql9.3-plpgsql-9.3.6-1.mga4.x86_64.rpm Proposed advisory: Updated PostgreSQL packages fix security issues: Buffer overruns in "to_char" functions. (CVE-2015-0241) Buffer overrun in replacement printf family of functions. (CVE-2015-0242 ) Memory errors in functions in the pgcrypto extension. (CVE-2015-0243) An error in extended protocol message reading. (CVE-2015-0244) Constraint violation errors can cause display of values in columns which the user would not normally have rights to see. (CVE-2014-8161) References: http://www.postgresql.org/about/news/1569/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161
Assignee: bugsquad => qa-bugs
Simple test procecure in https://bugs.mageia.org/show_bug.cgi?id=2843#c8 basically for each postgresql version (9.0, 9.1, 9.2, 9.3): install -server and -contrib packages, su to postgres user (from a root shell), then run pgbench -i followed by pgbench .
Thanks Christiaan and Oden. Freeze push for Cauldron still pending. The Debian advisory is slightly more informative. Debian also says that CVE-2015-0242 only affects Windows. Advisory: ======================== Updated postgresql packages fix security vulnerabilities: A user with limited clearance on a table might have access to information in columns without SELECT rights on through server error messages (CVE-2014-8161). The function to_char() might read/write past the end of a buffer. This might crash the server when a formatting template is processed (CVE-2015-0241). The pgcrypto module is vulnerable to stack buffer overrun that might crash the server (CVE-2015-0243). Emil Lenngren reported that an attacker can inject SQL commands when the synchronization between client and server is lost (CVE-2015-0244). This update provides PostgreSQL versions 9.3.6, 9.2.10, 9.1.15, and 9.0.19 that fix these issues, as well as several others. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161 http://www.postgresql.org/about/news/1569/ https://www.debian.org/security/2015/dsa-3155
Version: Cauldron => 4Blocks: 14674 => (none)Summary: postgresql new security issues fixed upstream => postgresql new security issues fixed upstream in 9.0.19, 9.1.15, 9.2.10, and 9.3.6Whiteboard: MGA4TOO => (none)
Whiteboard: (none) => has_procedure
postgresql9.0 postgresql9.1 postgresql9.2 postgresql9.3 tested on MGA4 x86-64 using the trivial procedure outlined in comment 3.
Whiteboard: has_procedure => has_procedure advisory mga4-64-ok
Advisory uploaded. Whiteboard marker already added. We use that to denote when the advisory has been uploaded to svn, which is necessary before the packages can be pushed. Please only add it if this has been done. Thanks.
Testing on Mageia4x32 real hardware Tested each current postgresql packages --------------------------------------- - postgresql9.0-pl-9.0.17-2.mga4.i586 - postgresql9.1-9.1.13-2.mga4.i586 - postgresql9.2-9.2.8-2.mga4.i586 - postgresql9.3-9.3.4-1.mga4.i586 Procedure used : -------------- Based on testing procedure mentionned in Comment 5 : # service postgresql start # systemctl restart httpd # su - postgres $ pgbench -i $ pgbench And then created drupal installation and verified in each drupal site created in reports windows I was using corresponding postgresql version (Database system PostgreSQL OK Database system version 9.0.17) # service postgresql stop # rm -r -f /var/lib/pgsql/data/ Tested each updated testing postgreql packages (9.0, 9.1, 9.2, 9.3) ------------------------------------------------------------------- Using same procedure (pgbench and drupal site installation) All OK
CC: (none) => olchalWhiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok MGA4-32-OK
Bug 15309 created for rationalising postgresql versions in mga5 before release. Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0069.html
Status: NEW => RESOLVEDResolution: (none) => FIXED