Upstream has released new versions today (March 31): http://www.postgresql.org/about/news/1656/ Versions 9.3.12, 9.4.7, and 9.5.2 fix two security issues.
CC: (none) => cjw, fundawang, oeWhiteboard: (none) => MGA5TOO
Fixed for Cauldron by Christiaan.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
The postgresql9.3 9.3.12 and postgresql9.4 9.4.7 packages in updates_testing passed very basic testing using pgbench on mga5 i586 and x86-64. I'll see if I can write an advisory later this week
Thanks Christiaan! I'll take care of the advisory. Advisory: ======================== Updated postgresql packages fix security vulnerabilities: A vulnerability in PostgreSQL 9.3.x before 9.3.12 and 9.4.x before 9.4.7 leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles, which could happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy (CVE-2016-2193). A vulnerability was found in a way PostgreSQL 9.3.x before 9.3.12 and 9.4.x before 9.4.7 uses pageinspect functions. Certain function arguments crashed the server or disclosed a few bytes of server memory. The viability of attacks that arrange for presence of confidential information in the disclosed bytes was not ruled out. This affects only databases that have used "CREATE EXTENSION pageinspect" (CVE-2016-3065). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3065 http://www.postgresql.org/docs/current/static/release-9-3-12.html http://www.postgresql.org/docs/current/static/release-9-4-7.html http://www.postgresql.org/about/news/1656/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.3-9.3.12-1.mga5 libpq9.3_5.6-9.3.12-1.mga5 libecpg9.3_6-9.3.12-1.mga5 postgresql9.3-server-9.3.12-1.mga5 postgresql9.3-docs-9.3.12-1.mga5 postgresql9.3-contrib-9.3.12-1.mga5 postgresql9.3-devel-9.3.12-1.mga5 postgresql9.3-pl-9.3.12-1.mga5 postgresql9.3-plpython-9.3.12-1.mga5 postgresql9.3-plperl-9.3.12-1.mga5 postgresql9.3-pltcl-9.3.12-1.mga5 postgresql9.3-plpgsql-9.3.12-1.mga5 postgresql9.4-9.4.7-1.mga5 libpq5-9.4.7-1.mga5 libecpg9.4_6-9.4.7-1.mga5 postgresql9.4-server-9.4.7-1.mga5 postgresql9.4-docs-9.4.7-1.mga5 postgresql9.4-contrib-9.4.7-1.mga5 postgresql9.4-devel-9.4.7-1.mga5 postgresql9.4-pl-9.4.7-1.mga5 postgresql9.4-plpython-9.4.7-1.mga5 postgresql9.4-plperl-9.4.7-1.mga5 postgresql9.4-pltcl-9.4.7-1.mga5 postgresql9.4-plpgsql-9.4.7-1.mga5 from SRPMS: postgresql9.3-9.3.12-1.mga5.src.rpm postgresql9.4-9.4.7-1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=8997#c1
Whiteboard: (none) => has_procedure
Severity: normal => major
(In reply to David Walser from comment #4) > Testing Procedure: > https://bugs.mageia.org/show_bug.cgi?id=8997#c1 Use webmin to run the sql from http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz to create the tables, and view the data. Webpage no longer exists. Got another?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #5) > (In reply to David Walser from comment #4) > > > Testing Procedure: > > https://bugs.mageia.org/show_bug.cgi?id=8997#c1 > > Use webmin to run the sql from > http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz > to create the tables, and view the data. > > Webpage no longer exists. Got another? Apparently that website periodically disappears. You can download it from here: https://ftp.postgresql.org/pub/projects/pgFoundry/dbsamples/world/world-1.0/
Testing M5 x64 Postgres 9.3 Updated to: lib64pq9.3_5.6-9.3.12-1.mga5 lib64ecpg9.3_6-9.3.12-1.mga5 postgresql9.3-server-9.3.12-1.mga5 postgresql9.3-devel-9.3.12-1.mga5 postgresql9.3-plpgsql-9.3.12-1.mga5 postgresql9.3-9.3.12-1.mga5 Played with (all using PostgreSQL): Bugzilla, Drupal, MediaWiki, PHPpgAdmin No problems here. OK. But it would be nice if somebody could confirm version 9.4 update.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Testing M5 x32 Postgres 9.3 [brian@localhost ~]$ psql mydb psql (9.3.12) Type "help" for help. mydb=> mydb=> select version(); version -------------------------------------------------------------------------------- - PostgreSQL 9.3.12 on i586-mageia-linux-gnu, compiled by gcc (GCC) 4.9.2, 32-bit (1 row) mydb=> create table brian (name varchar(20)); CREATE TABLE mydb=> insert into brian values ('briansname'); INSERT 0 1 mydb=> select * from brian; name ------------ briansname Seems to be working as designed.
CC: (none) => brtians1
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Useful procedure Brian, well done. Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0136.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/683853/