Bug 20842 - postgresql new security issues CVE-2017-748[4-6]
Summary: postgresql new security issues CVE-2017-748[4-6]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure advisory
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-13 19:06 CEST by David Walser
Modified: 2017-07-18 07:46 CEST (History)
8 users (show)

See Also:
Source RPM: postgresql9.3, postgresql9.4, postgresql9.6
CVE:
Status comment:


Attachments

Description David Walser 2017-05-13 19:06:02 CEST
Upstream has issued an advisory on May 11:
https://www.postgresql.org/about/news/1746/

The issues are fixed in 9.3.17, 9.4.12, and 9.6.3.

Mageia 5 is also affected.

Debian has issued an advisory for this on May 12:
https://www.debian.org/security/2017/dsa-3851
Comment 1 Marja van Waes 2017-05-13 20:06:13 CEST
Assigning to cjw, the postgresql9.4 maintainer, because I saw he was active today.

I guess this report needs to be cloned for postgresql9.3 (no registered maintainer) and postgresql9.6 (joequant)?
Comment 2 David Walser 2017-05-13 20:43:31 CEST
(In reply to Marja van Waes from comment #1)
> I guess this report needs to be cloned for postgresql9.3 (no registered
> maintainer) and postgresql9.6 (joequant)?

Nope.
Comment 3 Zombie Ryushu 2017-05-14 14:59:56 CEST
Package        : postgresql-9.4
CVE ID         : CVE-2017-7484 CVE-2017-7485 CVE-2017-7486

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7484

    Robert Haas discovered that some selectivity estimators did not
    validate user privileges which could result in information
    disclosure.

CVE-2017-7485

    Daniel Gustafsson discovered that the PGREQUIRESSL environment
    variable did no longer enforce a TLS connection.

CVE-2017-7486

    Andrew Wheelwright discovered that user mappings were insufficiently
    restricted.
Comment 4 Nicolas Lécureuil 2017-05-15 01:25:15 CEST
Fixed in cauldron
Comment 5 David Walser 2017-07-09 01:38:25 CEST
Updated packages uploaded for Mageia 5.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=18103#c6

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

Robert Haas discovered that some selectivity estimators did not validate user
privileges which could result in information disclosure (CVE-2017-7484).

Daniel Gustafsson discovered that the PGREQUIRESSL environment variable did no
longer enforce a TLS connection (CVE-2017-7485).

Andrew Wheelwright discovered that user mappings were insufficiently restricted
(CVE-2017-7486).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7486
http://www.postgresql.org/docs/current/static/release-9-3-17.html
http://www.postgresql.org/docs/current/static/release-9-4-12.html
https://www.postgresql.org/about/news/1746/
========================

Updated packages in core/updates_testing:
========================
postgresql9.3-9.3.17-1.mga5
libpq9.3_5.6-9.3.17-1.mga5
libecpg9.3_6-9.3.17-1.mga5
postgresql9.3-server-9.3.17-1.mga5
postgresql9.3-docs-9.3.17-1.mga5
postgresql9.3-contrib-9.3.17-1.mga5
postgresql9.3-devel-9.3.17-1.mga5
postgresql9.3-pl-9.3.17-1.mga5
postgresql9.3-plpython-9.3.17-1.mga5
postgresql9.3-plperl-9.3.17-1.mga5
postgresql9.3-pltcl-9.3.17-1.mga5
postgresql9.3-plpgsql-9.3.17-1.mga5
postgresql9.4-9.4.12-1.mga5
libpq5-9.4.12-1.mga5
libecpg9.4_6-9.4.12-1.mga5
postgresql9.4-server-9.4.12-1.mga5
postgresql9.4-docs-9.4.12-1.mga5
postgresql9.4-contrib-9.4.12-1.mga5
postgresql9.4-devel-9.4.12-1.mga5
postgresql9.4-pl-9.4.12-1.mga5
postgresql9.4-plpython-9.4.12-1.mga5
postgresql9.4-plperl-9.4.12-1.mga5
postgresql9.4-pltcl-9.4.12-1.mga5
postgresql9.4-plpgsql-9.4.12-1.mga5

from SRPMS:
postgresql9.3-9.3.17-1.mga5.src.rpm
postgresql9.4-9.4.12-1.mga5.src.rpm
Comment 6 Thomas Backlund 2017-07-17 22:15:45 CEST
Note that there is a postgresql9.4-9.4.12-1.1.mga6 in Mageia 6 updates_testing that needs to go out the same time as this to keep the upgrade path from mga5 -> mga6 working...
Comment 7 David Walser 2017-07-18 01:49:22 CEST
Why?
Comment 8 Charles Edwards 2017-07-18 02:39:06 CEST
Because anyone who installed postgresql9.4-9.4.12-1.mga5, and there were some who did, could, during Mga5 to Mga6 upgrades hit:
Installation failed
file libpq.so.5 from install of lib64pq5-9.6.3-1.mga6 conflicts with installed
lib64pq5-9.4.12-1.mga5

postgresql9.4-9.4.12-1.1.mga6 in Mga6 updates_testing fixes this but when it is moved to  Mga6 /updates/ then, because it is a security update 
postgresql9.4-9.4.12-1.mga5 also needs to be moved to Mga5 /updates/.

Both need to stay in sync until Mga5 reaches EOL later this year.
Comment 9 Rémi Verschelde 2017-07-18 07:44:29 CEST
(In reply to Charles Edwards from comment #8)
> postgresql9.4-9.4.12-1.1.mga6 in Mga6 updates_testing fixes this but when it
> is moved to  Mga6 /updates/ then, because it is a security update 
> postgresql9.4-9.4.12-1.mga5 also needs to be moved to Mga5 /updates/.

Actually no, the Mageia update could be validated and pushed already, it just updates the Obsoletes version to match %{version}.

But indeed the most logical would be to push the Mageia 6 fix together with the Mageia 5 security update that requires this fix, I'll adapt the advisory accordingly.

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

Robert Haas discovered that some selectivity estimators did not validate user
privileges which could result in information disclosure (CVE-2017-7484).

Daniel Gustafsson discovered that the PGREQUIRESSL environment variable did no
longer enforce a TLS connection (CVE-2017-7485).

Andrew Wheelwright discovered that user mappings were insufficiently restricted
(CVE-2017-7486).

The Mageia 6 postgresql9.4 update is a packaging bugfix to ease the upgrade
from Mageia 5 to Mageia 6.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7486
http://www.postgresql.org/docs/current/static/release-9-3-17.html
http://www.postgresql.org/docs/current/static/release-9-4-12.html
https://www.postgresql.org/about/news/1746/
========================

SRPMs:
5:
- postgresql9.3-9.3.17-1.mga5.src.rpm
- postgresql9.4-9.4.12-1.mga5.src.rpm
6:
- postgresql9.4-9.4.12-1.1.mga6.src.rpm

Note You need to log in before you can comment on or make changes to this bug.