Bug 15741 - postgis new security issue(s) fixed upstream in 2.1.3
Summary: postgis new security issue(s) fixed upstream in 2.1.3
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/641108/
Whiteboard: advisory mga4-32-ok mga4-64-ok
Keywords: validated_update
Depends on:
Reported: 2015-04-20 20:50 CEST by David Walser
Modified: 2015-05-11 22:11 CEST (History)
6 users (show)

See Also:
Source RPM: postgis-2.1.3-4.mga5.src.rpm
Status comment:


Description David Walser 2015-04-20 20:50:29 CEST
Fedora has issued an advisory on April 5:

It says that version 2.1.6 includes security fixes:

It's not clear which fixes are security relevant.  As you can also see on that page under "More Posts," 2.1.7 was released, fixing a critical bug:

Fedora has updated to 2.1.7; we should do the same for Mageia 4 and Mageia 5.


Steps to Reproduce:
David Walser 2015-04-20 20:50:35 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-30 18:05:52 CEST
Dimitrios was the last to work on the qgis package, which requires postgis.  Dimitrios, can you help with this package?

CC: (none) => dglent

Comment 2 Philippe Makowski 2015-05-04 14:22:46 CEST
I will try to update it

CC: (none) => makowski.mageia

David Walser 2015-05-04 23:51:15 CEST

Blocks: (none) => 14674

Comment 3 Philippe Makowski 2015-05-06 20:33:56 CEST
postgis-2.1.7-1.mga4 is in 4/testing
freeze push asked for postgis-2.1.7-2.mga5
Philippe Makowski 2015-05-06 20:35:09 CEST

Assignee: fundawang => qa-bugs

Comment 4 David Walser 2015-05-06 20:36:40 CEST
Thanks Philippe!  We'll hold off on assigning to QA until it's pushed in Cauldron.

CC: (none) => fundawang, qa-bugs
Assignee: qa-bugs => bugsquad

Comment 5 David Walser 2015-05-06 21:13:17 CEST
Updated packages uploaded for Mageia 4 and Cauldron.

I finally see where the security issues are, they were actually fixed in 2.1.3:


Updated postgis packages fix security vulnerability:

The PostGIS Raster support in PostGIS before 2.1.3  may give more privileges
to users than an administrator is willing to grant. These include reading
files from the filesystem and opening connections to network hosts.

The postgis package has been updated to version 2.1.7, fixing this issue and
several other bugs.

Please see the upstream release announcements and NEWS for more information.


Updated packages in core/updates_testing:

from postgis-2.1.7-1.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

David Walser 2015-05-06 21:13:36 CEST

Summary: postgis new security issue(s) fixed upstream in 2.1.6 => postgis new security issue(s) fixed upstream in 2.1.3

Comment 6 David Walser 2015-05-06 21:18:33 CEST
To be clear, the Fedora advisory claims there were security fixes in 2.1.6 itself, and they were updating it from 2.1.3, but I still have no idea what exactly they were referring to.
Comment 7 claire robinson 2015-05-11 15:46:12 CEST
Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

Comment 8 claire robinson 2015-05-11 18:01:56 CEST
Advisory uploaded.

Whiteboard: mga4-32-ok => advisory mga4-32-ok

Comment 9 Shlomi Fish 2015-05-11 18:34:22 CEST
(In reply to claire robinson from comment #7)
> Testing complete mga4 32 
> Just ensuring it updates cleanly during mga5 final release cycle.

It updates cleanly on a Mageia 4 x86-64 VBox VM. Should we MGA4-64-OK it?

CC: (none) => shlomif

Comment 10 claire robinson 2015-05-11 18:40:41 CEST
Yes please. Doing so now.


Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2015-05-11 22:11:36 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.