Upstream has released new versions today (August 11): https://www.postgresql.org/about/news/1688/ Versions 9.3.14, 9.4.9, and 9.5.4 fix two security issues. Updates checked into Mageia 5 and Cauldron SVN. Freeze push requested for Cauldron.
Whiteboard: (none) => MGA5TOO
URL: (none) => http://lwn.net/Vulnerabilities/697020/
Updated packages uploaded for Mageia 5 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18103#c6 Advisory: ======================== Updated postgresql packages fix security vulnerabilities: It was discovered that certain SQL statements containing CASE/WHEN commands could crash the PostgreSQL server, or disclose a few bytes of server memory, potentially leading to arbitrary code execution (CVE-2016-5423). It was found that PostgreSQL client programs mishandle database and role names containing newlines, carriage returns, double quotes, or backslashes. By crafting such an object name, roles with the CREATEDB or CREATEROLE option could escalate their privileges to root when a root user next executes maintenance with a vulnerable program. Vulnerable programs include pg_dumpall, pg_upgrade, vacuumdb, reindexdb, and clusterdb (CVE-2016-5424). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5423 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5424 http://www.postgresql.org/docs/current/static/release-9-3-14.html http://www.postgresql.org/docs/current/static/release-9-4-9.html https://www.postgresql.org/about/news/1688/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.3-9.3.14-1.mga5 libpq9.3_5.6-9.3.14-1.mga5 libecpg9.3_6-9.3.14-1.mga5 postgresql9.3-server-9.3.14-1.mga5 postgresql9.3-docs-9.3.14-1.mga5 postgresql9.3-contrib-9.3.14-1.mga5 postgresql9.3-devel-9.3.14-1.mga5 postgresql9.3-pl-9.3.14-1.mga5 postgresql9.3-plpython-9.3.14-1.mga5 postgresql9.3-plperl-9.3.14-1.mga5 postgresql9.3-pltcl-9.3.14-1.mga5 postgresql9.3-plpgsql-9.3.14-1.mga5 postgresql9.4-9.4.9-1.mga5 libpq5-9.4.9-1.mga5 libecpg9.4_6-9.4.9-1.mga5 postgresql9.4-server-9.4.9-1.mga5 postgresql9.4-docs-9.4.9-1.mga5 postgresql9.4-contrib-9.4.9-1.mga5 postgresql9.4-devel-9.4.9-1.mga5 postgresql9.4-pl-9.4.9-1.mga5 postgresql9.4-plpython-9.4.9-1.mga5 postgresql9.4-plperl-9.4.9-1.mga5 postgresql9.4-pltcl-9.4.9-1.mga5 postgresql9.4-plpgsql-9.4.9-1.mga5 from SRPMS: postgresql9.3-9.3.14-1.mga5.src.rpm postgresql9.4-9.4.9-1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => has_procedure
Assigning to QA. Package list, advisory, and testing procedure in Comment 1.
Assignee: cjw => qa-bugs
Severity: normal => critical
installed postgressql9.3 first round This via terminal I had to su over to the postgres user id and create my user profile [postgres@localhost brian]$ createdb -O brian brian I backed out of postgres and root via exit command then [brian@localhost ~]$ psql psql (9.3.14) Type "help" for help. brian=> select version(); version -------------------------------------------------------------------------------- - PostgreSQL 9.3.14 on i586-mageia-linux-gnu, compiled by gcc (GCC) 4.9.2, 32-bit (1 row) brian=> create table brian (name varchar(20)); CREATE TABLE brian=> insert into brian values ('briansname'); INSERT 0 1 brian=> select * from brian; name ------------ briansname (1 row) brian=> 9.3.14 seems to be working appropriately.
CC: (none) => brtians1
The following 18 packages are going to be installed: - glibc-devel-2.20-23.mga5.x86_64 - kernel-userspace-headers-4.4.16-1.mga5.x86_64 - lib64ecpg9.4_6-9.4.9-1.mga5.x86_64 - lib64openssl-devel-1.0.2h-1.mga5.x86_64 - lib64ossp_uuid16-1.6.2-12.mga5.x86_64 - lib64pq5-9.4.9-1.mga5.x86_64 - lib64zlib-devel-1.2.8-7.mga5.x86_64 - meta-task-5-28.1.mga5.noarch - postgresql9.4-9.4.9-1.mga5.x86_64 - postgresql9.4-contrib-9.4.9-1.mga5.x86_64 - postgresql9.4-devel-9.4.9-1.mga5.x86_64 - postgresql9.4-docs-9.4.9-1.mga5.noarch - postgresql9.4-pl-9.4.9-1.mga5.x86_64 - postgresql9.4-plperl-9.4.9-1.mga5.x86_64 - postgresql9.4-plpgsql-9.4.9-1.mga5.x86_64 - postgresql9.4-plpython-9.4.9-1.mga5.x86_64 - postgresql9.4-pltcl-9.4.9-1.mga5.x86_64 - postgresql9.4-server-9.4.9-1.mga5.x86_64 60MB of additional disk space will be used. ------------------------------------------------------------ This time around I had to create role brian with login Then I went back and did a database create with: createdb -O brian mydb then I could login into psql --------------------------------------------------------- [brian@localhost ~]$ psql mydb psql (9.4.9) mydb=# select version(); version -------------------------------------------------------------------------------- -- PostgreSQL 9.4.9 on x86_64-mageia-linux-gnu, compiled by gcc (GCC) 4.9.2, 64-bi t --------------------------------------------------------------------- mydb=# create table brian (name varchar(20)); CREATE TABLE mydb=# insert into brian values ('someones name'); INSERT 0 1 mydb=# select * from brian; name --------------- someones name (1 row) mydb=# ---------------- looks like 9.4 is working fine.
Whiteboard: has_procedure => has_procedure mga5-32-ok mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0289.html
Status: NEW => RESOLVEDResolution: (none) => FIXED