Upstream has announced new versions today (October 8): http://www.postgresql.org/about/news/1615/ Two security issues have been fixed. Reproducible: Steps to Reproduce:
CC: (none) => cjwWhiteboard: (none) => MGA5TOO
Hardware: i586 => AllCC: (none) => mageiaAssignee: bugsquad => cjw
Ubuntu has issued an advisory for this today (October 16): http://www.ubuntu.com/usn/usn-2772-1/
URL: (none) => http://lwn.net/Vulnerabilities/661066/
Updated versions committed to SVN for mga5 and cauldron (mga6)
CC: (none) => ngompa13
Advisory: ======================================================== Updated postgresql packages fix security vulnerabilities Josh Kupershmidt discovered the pgCrypto extension could expose several bytes of server memory if the crypt() function was provided a too-short salt. An attacker could use this flaw to read private data. (CVE-2015-5288) Oskari Saarenmaa discovered that the json and jsonb handlers could exhaust available stack space. An attacker could use this flaw to perform a denial of service attack. (CVE-2015-5289) The postgresql9.3 and postgresql9.4 packages have been updated to versions 9.3.10 and 9.4.5, respectively, to fix these issues. See the upstream release notes for more details. References: https://bugs.mageia.org/show_bug.cgi?id=16924 http://www.postgresql.org/about/news/1615/ http://www.ubuntu.com/usn/usn-2772-1/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5289 ======================================================== Updated packages in core/updates_testing: ======================================================== postgresql9.3-9.3.10-1.mga5 libpq9.3_5.6-9.3.10-1.mga5 libecpg9.3_6-9.3.10-1.mga5 postgresql9.3-server-9.3.10-1.mga5 postgresql9.3-docs-9.3.10-1.mga5 postgresql9.3-contrib-9.3.10-1.mga5 postgresql9.3-devel-9.3.10-1.mga5 postgresql9.3-pl-9.3.10-1.mga5 postgresql9.3-plpython-9.3.10-1.mga5 postgresql9.3-plperl-9.3.10-1.mga5 postgresql9.3-pltcl-9.3.10-1.mga5 postgresql9.3-plpgsql-9.3.10-1.mga5 postgresql9.3-debuginfo-9.3.10-1.mga5 postgresql9.4-9.4.5-1.mga5 libpq5-9.4.5-1.mga5 libecpg9.4_6-9.4.5-1.mga5 postgresql9.4-server-9.4.5-1.mga5 postgresql9.4-docs-9.4.5-1.mga5 postgresql9.4-contrib-9.4.5-1.mga5 postgresql9.4-devel-9.4.5-1.mga5 postgresql9.4-pl-9.4.5-1.mga5 postgresql9.4-plpython-9.4.5-1.mga5 postgresql9.4-plperl-9.4.5-1.mga5 postgresql9.4-pltcl-9.4.5-1.mga5 postgresql9.4-plpgsql-9.4.5-1.mga5 postgresql9.4-debuginfo-9.4.5-1.mga5 From SRPMS: postgresql9.3-9.3.10-1.mga5.src.rpm postgresql9.4-9.4.5-1.mga5.src.rpm
Assignee: cjw => qa-bugs
Advisory in comment #3.
The packages referenced in comment #3 have now hit the updates_testing repository for mga5.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing M5 x64 real hardware, PostgreSQL 9.3. I had a mixture of 9.3 (server) & 9.4 bits, which caused havoc in Updates Testing; so for sanity I reverted the 9.4 bits to 9.3: postgresql9.3-9.3.9-1.mga5 postgresql9.3-server-9.3.9-1.mga5 postgresql9.3-plpgsql-9.3.9-1.mga5 postgresql9.3-devel-9.3.9-1.mga5
CC: (none) => lewyssmith
[Previous comment truncated] Testing M5 x64 real hardware, PostgreSQL 9.3. BEFORE update: I had a mixture of 9.3 (server) & 9.4 bits, which caused havoc in Updates Testing; so for sanity I reverted the 9.4 bits to 9.3: postgresql9.3-9.3.9-1.mga5 postgresql9.3-server-9.3.9-1.mga5 postgresql9.3-plpgsql-9.3.9-1.mga5 postgresql9.3-devel-9.3.9-1.mga5 plus the eqivalent libs lib64pq9.3 [PQ9] & lib64ecpg9.3 [PG9]. Confirmed that the dependant applications worked: 'psql' console command, PhpPgAdmin, MediaWiki, Drupal. AFTER update to: postgresql9.3-server-9.3.10-1.mga5 postgresql9.3-9.3.10-1.mga5 postgresql9.3-devel-9.3.10-1.mga5 postgresql9.3-plpgsql-9.3.10-1.mga5 lib64ecpg9.3_6-9.3.10-1.mga5 lib64pq9.3_5.6-9.3.10-1.mga5 Re-started the Postgres server (in case). The 4 applications noted above still worked OK. Update deemed OK for 9.3. If a 32-bit tester could try 9.4, that would catch both variables.
Whiteboard: advisory => advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0420.html
Status: NEW => RESOLVEDResolution: (none) => FIXED