Fedora has issued an advisory on April 5: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154704.html It says that version 2.1.6 includes security fixes: http://postgis.net/2015/03/20/postgis-2.1.6 It's not clear which fixes are security relevant. As you can also see on that page under "More Posts," 2.1.7 was released, fixing a critical bug: http://svn.osgeo.org/postgis/tags/2.1.7/NEWS Fedora has updated to 2.1.7; we should do the same for Mageia 4 and Mageia 5. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Dimitrios was the last to work on the qgis package, which requires postgis. Dimitrios, can you help with this package?
CC: (none) => dglent
I will try to update it
CC: (none) => makowski.mageia
Blocks: (none) => 14674
postgis-2.1.7-1.mga4 is in 4/testing freeze push asked for postgis-2.1.7-2.mga5
Assignee: fundawang => qa-bugs
Thanks Philippe! We'll hold off on assigning to QA until it's pushed in Cauldron.
CC: (none) => fundawang, qa-bugsAssignee: qa-bugs => bugsquad
Updated packages uploaded for Mageia 4 and Cauldron. I finally see where the security issues are, they were actually fixed in 2.1.3: http://postgis.net/2014/05/19/postgis-2.0.6_and_2.1.3 Advisory: ======================== Updated postgis packages fix security vulnerability: The PostGIS Raster support in PostGIS before 2.1.3 may give more privileges to users than an administrator is willing to grant. These include reading files from the filesystem and opening connections to network hosts. The postgis package has been updated to version 2.1.7, fixing this issue and several other bugs. Please see the upstream release announcements and NEWS for more information. References: http://postgis.net/2013/11/08/postgis-2.1.1 http://postgis.net/2014/03/31/postgis-2.1.2 http://postgis.net/2014/05/19/postgis-2.0.6_and_2.1.3 http://postgis.net/2014/09/10/postgis-2.1.4 http://postgis.net/2014/12/18/postgis-2.1.5 http://postgis.net/2015/03/20/postgis-2.1.6 http://postgis.net/2015/04/06/postgis-2.1.7 http://svn.osgeo.org/postgis/tags/2.1.7/NEWS https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154704.html ======================== Updated packages in core/updates_testing: ======================== postgis-2.1.7-1.mga4 libpostgis-devel-2.1.7-1.mga4 from postgis-2.1.7-1.mga4.src.rpm
Version: Cauldron => 4Blocks: 14674 => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Summary: postgis new security issue(s) fixed upstream in 2.1.6 => postgis new security issue(s) fixed upstream in 2.1.3
To be clear, the Fedora advisory claims there were security fixes in 2.1.6 itself, and they were updating it from 2.1.3, but I still have no idea what exactly they were referring to.
Testing complete mga4 32 Just ensuring it updates cleanly during mga5 final release cycle.
Whiteboard: (none) => mga4-32-ok
Advisory uploaded.
Whiteboard: mga4-32-ok => advisory mga4-32-ok
(In reply to claire robinson from comment #7) > Testing complete mga4 32 > > Just ensuring it updates cleanly during mga5 final release cycle. It updates cleanly on a Mageia 4 x86-64 VBox VM. Should we MGA4-64-OK it?
CC: (none) => shlomif
Yes please. Doing so now. Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0207.html
Status: NEW => RESOLVEDResolution: (none) => FIXED