Upstream has released new versions today (August 10): https://www.postgresql.org/about/news/1772/ The issues are fixed in 9.3.18, 9.4.13, and 9.6.4. Mageia 5 is also affected. Updated packages uploaded for Mageia 5 and Mageia 6. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18103#c6 Advisory: ======================== Updated postgresql packages fix security vulnerabilities: libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in (CVE-2017-7546). A user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user (CVE-2017-7547). The lo_put() function should require the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object (CVE-2017-7548). Note: the CVE-2017-7547 issue requires manual intervention to fix on affected systems. See the references for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7548 http://www.postgresql.org/docs/current/static/release-9-3-18.html http://www.postgresql.org/docs/current/static/release-9-4-13.html https://www.postgresql.org/docs/current/static/release-9-6-4.html https://www.postgresql.org/about/news/1772/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.3-9.3.18-1.mga5 libpq9.3_5.6-9.3.18-1.mga5 libecpg9.3_6-9.3.18-1.mga5 postgresql9.3-server-9.3.18-1.mga5 postgresql9.3-docs-9.3.18-1.mga5 postgresql9.3-contrib-9.3.18-1.mga5 postgresql9.3-devel-9.3.18-1.mga5 postgresql9.3-pl-9.3.18-1.mga5 postgresql9.3-plpython-9.3.18-1.mga5 postgresql9.3-plperl-9.3.18-1.mga5 postgresql9.3-pltcl-9.3.18-1.mga5 postgresql9.3-plpgsql-9.3.18-1.mga5 postgresql9.4-9.4.13-1.mga5 libpq5-9.4.13-1.mga5 libecpg9.4_6-9.4.13-1.mga5 postgresql9.4-server-9.4.13-1.mga5 postgresql9.4-docs-9.4.13-1.mga5 postgresql9.4-contrib-9.4.13-1.mga5 postgresql9.4-devel-9.4.13-1.mga5 postgresql9.4-pl-9.4.13-1.mga5 postgresql9.4-plpython-9.4.13-1.mga5 postgresql9.4-plperl-9.4.13-1.mga5 postgresql9.4-pltcl-9.4.13-1.mga5 postgresql9.4-plpgsql-9.4.13-1.mga5 postgresql9.4-9.4.13-1.mga6 libpq5.7-9.4.13-1.mga6 libecpg9.4_6-9.4.13-1.mga6 postgresql9.4-server-9.4.13-1.mga6 postgresql9.4-docs-9.4.13-1.mga6 postgresql9.4-contrib-9.4.13-1.mga6 postgresql9.4-devel-9.4.13-1.mga6 postgresql9.4-pl-9.4.13-1.mga6 postgresql9.4-plpython-9.4.13-1.mga6 postgresql9.4-plperl-9.4.13-1.mga6 postgresql9.4-pltcl-9.4.13-1.mga6 postgresql9.4-plpgsql-9.4.13-1.mga6 postgresql9.6-9.6.4-1.mga6 libpq5-9.6.4-1.mga6 libecpg9.6_6-9.6.4-1.mga6 postgresql9.6-server-9.6.4-1.mga6 postgresql9.6-docs-9.6.4-1.mga6 postgresql9.6-contrib-9.6.4-1.mga6 postgresql9.6-devel-9.6.4-1.mga6 postgresql9.6-pl-9.6.4-1.mga6 postgresql9.6-plpython-9.6.4-1.mga6 postgresql9.6-plperl-9.6.4-1.mga6 postgresql9.6-pltcl-9.6.4-1.mga6 postgresql9.6-plpgsql-9.6.4-1.mga6 from SRPMS: postgresql9.3-9.3.18-1.mga5.src.rpm postgresql9.4-9.4.13-1.mga5.src.rpm postgresql9.4-9.4.13-1.mga6.src.rpm postgresql9.6-9.6.4-1.mga6.src.rpm
Whiteboard: (none) => MGA5TOO has_procedure
MGA5-32 on Asus A6000VM Xfce First installed 9.3, used phppgadmin to create a new database, new schema and new table. Seems OK. Proceeding now to 9.4
CC: (none) => herman.viaene
Trying to install 9.4 even after removing all 9.3 packages drops into bug 14975.
Solution is to delete /var/lib/pgsql/data/ content. And then start all over again. Thus created same database, schema and table All seems OK.
Whiteboard: MGA5TOO has_procedure => MGA5TOO has_procedure MGA5-32-OK
Whiteboard: MGA5TOO has_procedure MGA5-32-OK => MGA5TOO has_procedure MGA5-32-OK advisoryCC: (none) => lewyssmith
This looks a bit complicated. I will try it for 64-bit. #14975 seems to matter.
9.3.18 The following 17 packages are going to be installed: - glibc-devel-2.20-25.mga5.x86_64 - kernel-userspace-headers-4.4.82-1.mga5.x86_64 - lib64ecpg9.3_6-9.3.18-1.mga5.x86_64 - lib64openssl-devel-1.0.2k-1.mga5.x86_64 - lib64ossp_uuid16-1.6.2-12.mga5.x86_64 - lib64pq9.3_5.6-9.3.18-1.mga5.x86_64 - lib64zlib-devel-1.2.8-7.1.mga5.x86_64 - postgresql9.3-9.3.18-1.mga5.x86_64 - postgresql9.3-contrib-9.3.18-1.mga5.x86_64 - postgresql9.3-devel-9.3.18-1.mga5.x86_64 - postgresql9.3-docs-9.3.18-1.mga5.noarch - postgresql9.3-pl-9.3.18-1.mga5.x86_64 - postgresql9.3-plperl-9.3.18-1.mga5.x86_64 - postgresql9.3-plpgsql-9.3.18-1.mga5.x86_64 - postgresql9.3-plpython-9.3.18-1.mga5.x86_64 - postgresql9.3-pltcl-9.3.18-1.mga5.x86_64 - postgresql9.3-server-9.3.18-1.mga5.x86_64 58MB of additional disk space will be used. 13MB of packages will be retrieved. Is it ok to continue? Testing $ ps -ef | grep post postgres 2053 1 0 08:54 ? 00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432 postgres 2067 2053 0 08:54 ? 00:00:00 postgres: checkpointer process postgres 2068 2053 0 08:54 ? 00:00:00 postgres: writer process postgres 2069 2053 0 08:54 ? 00:00:00 postgres: wal writer process postgres 2070 2053 0 08:54 ? 00:00:00 postgres: autovacuum launcher process postgres 2071 2053 0 08:54 ? 00:00:00 postgres: stats collector process The server is up now set up admin info $ su Password: [root@localhost brian]# su - postgres gpg-agent[3261]: directory `/var/lib/pgsql/.gnupg' created gpg-agent[3261]: directory `/var/lib/pgsql/.gnupg/private-keys-v1.d' created gpg-agent[3262]: gpg-agent (GnuPG) 2.0.27 started [postgres@localhost ~]$ psql psql (9.3.18) Type "help" for help. Now I quit by going back to command prompt using the \q command inside of psql # \q from command prompt create mydb [postgres@localhost ~]$ createdb mydb now connect to postgres and the newly created database mydb [postgres@localhost ~]$ psql mydb psql (9.3.18) Type "help" for help. mydb=# create table brian (name varchar(20)); CREATE TABLE insert some data mydb=# insert into brian values ('briansname'); INSERT 0 1 mydb=# insert into brian values ('postgressql is awesome'); ERROR: value too long for type character varying(20) mydb=# insert into brian values ('postgres is awesome'); INSERT 0 1 mydb=# insert into brian values ('psql is awesome'); INSERT 0 1 mydb=# select * from brian; name --------------------- briansname postgres is awesome psql is awesome (3 rows) mydb=# ----------- update a row mydb=# update brian set name = 'mageia' where name = 'briansname'; UPDATE 1 --------- confirm update mydb=# select * from brian; name --------------------- postgres is awesome psql is awesome mageia (3 rows) mydb=# ---- clean up after yourself mydb=# drop table brian; DROP TABLE mydb=# \q [postgres@localhost ~]$ [postgres@localhost ~]$ dropdb mydb 9.3.18 working as designed
CC: (none) => brtians1
The following 17 packages are going to be installed: - glibc-devel-2.20-25.mga5.x86_64 - kernel-userspace-headers-4.4.82-1.mga5.x86_64 - lib64ecpg9.4_6-9.4.13-1.mga5.x86_64 - lib64openssl-devel-1.0.2k-1.mga5.x86_64 - lib64ossp_uuid16-1.6.2-12.mga5.x86_64 - lib64pq5-9.4.13-1.mga5.x86_64 - lib64zlib-devel-1.2.8-7.1.mga5.x86_64 - postgresql9.4-9.4.13-1.mga5.x86_64 - postgresql9.4-contrib-9.4.13-1.mga5.x86_64 - postgresql9.4-devel-9.4.13-1.mga5.x86_64 - postgresql9.4-docs-9.4.13-1.mga5.noarch - postgresql9.4-pl-9.4.13-1.mga5.x86_64 - postgresql9.4-plperl-9.4.13-1.mga5.x86_64 - postgresql9.4-plpgsql-9.4.13-1.mga5.x86_64 - postgresql9.4-plpython-9.4.13-1.mga5.x86_64 - postgresql9.4-pltcl-9.4.13-1.mga5.x86_64 - postgresql9.4-server-9.4.13-1.mga5.x86_64 60MB of additional disk space will be used. 13MB of packages will be retrieved. Is it ok to continue? testing -- $ ps -ef | grep post postgres 2073 1 0 09:38 ? 00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432 postgres 2075 2073 0 09:38 ? 00:00:00 postgres: checkpointer process postgres 2076 2073 0 09:38 ? 00:00:00 postgres: writer process postgres 2077 2073 0 09:38 ? 00:00:00 postgres: wal writer process postgres 2078 2073 0 09:38 ? 00:00:00 postgres: autovacuum launcher process postgres 2079 2073 0 09:38 ? 00:00:00 postgres: stats collector process server is up – [brian@localhost ~]$ su Password: [root@localhost brian]# su - postgres gpg-agent[2981]: directory `/var/lib/pgsql/.gnupg' created gpg-agent[2981]: directory `/var/lib/pgsql/.gnupg/private-keys-v1.d' created gpg-agent[2982]: gpg-agent (GnuPG) 2.0.27 started [postgres@localhost ~]$ [postgres@localhost ~]$ createdb mydb [postgres@localhost ~]$ psql mydb psql (9.4.13) Type "help" for help. mydb=# create table brian (name varchar(20)); CREATE TABLE mydb=# create table brian (name varchar(20)); CREATE TABLE mydb=# insert into brian values ('zname'); INSERT 0 1 mydb=# insert into brian values ('is'); INSERT 0 1 mydb=# insert into brian values ('awesome'); INSERT 0 1 mydb=# select * from brian desc; ERROR: syntax error at or near "desc" LINE 1: select * from brian desc; ^ mydb=# select * from brian order by name desc; name --------- zname is awesome (3 rows) mydb=# mydb=# update brian set name = 'mageia' where name = 'zname'; UPDATE 1 mydb=# select * from brian order by name desc; name --------- mageia is awesome (3 rows) mydb=# mydb=# \q [postgres@localhost ~]$ dropdb mydb 9.4.13 is working on 64-bit
Whiteboard: MGA5TOO has_procedure MGA5-32-OK advisory => MGA5TOO has_procedure MGA5-32-OK mga5-64-ok advisory
The following 17 packages are going to be installed: - glibc-devel-2.22-25.mga6.x86_64 - kernel-userspace-headers-4.9.43-1.mga6.x86_64 - lib64ecpg9.6_6-9.6.4-1.mga6.x86_64 - lib64openssl-devel-1.0.2l-1.mga6.x86_64 - lib64ossp_uuid16-1.6.2-16.mga6.x86_64 - lib64pq5-9.6.4-1.mga6.x86_64 - lib64zlib-devel-1.2.11-4.mga6.x86_64 - postgresql9.6-9.6.4-1.mga6.x86_64 - postgresql9.6-contrib-9.6.4-1.mga6.x86_64 - postgresql9.6-devel-9.6.4-1.mga6.x86_64 - postgresql9.6-docs-9.6.4-1.mga6.noarch - postgresql9.6-pl-9.6.4-1.mga6.x86_64 - postgresql9.6-plperl-9.6.4-1.mga6.x86_64 - postgresql9.6-plpgsql-9.6.4-1.mga6.x86_64 - postgresql9.6-plpython-9.6.4-1.mga6.x86_64 - postgresql9.6-pltcl-9.6.4-1.mga6.x86_64 - postgresql9.6-server-9.6.4-1.mga6.x86_64 67MB of additional disk space will be used. 15MB of packages will be retrieved. Is it ok to continue? – $ ps -ef | grep post postgres 1965 1 0 10:26 ? 00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432 postgres 1968 1965 0 10:26 ? 00:00:00 postgres: checkpointer process postgres 1969 1965 0 10:26 ? 00:00:00 postgres: writer process postgres 1970 1965 0 10:26 ? 00:00:00 postgres: wal writer process postgres 1971 1965 0 10:26 ? 00:00:00 postgres: autovacuum launcher process postgres 1972 1965 0 10:26 ? 00:00:00 postgres: stats collector process [brian@localhost ~]$ su Password: su: Authentication failure [brian@localhost ~]$ su Password: [root@localhost brian]# su - postgres [postgres@localhost ~]$ createdb mydb [postgres@localhost ~]$ psql mydb psql (9.6.4) Type "help" for help. mydb=# create table brian (name varchar(20)); CREATE TABLE mydb=# insert into brian values ('zname'); INSERT 0 1 mydb=# insert into brian values ('is'); INSERT 0 1 mydb=# insert into brian values ('awesome'); INSERT 0 1 mydb=# select * from brian order by name desc; name --------- zname is awesome (3 rows) mydb=# update brian set name = 'mageia' where name = 'zname'; UPDATE 1 mydb=# select * from brian order by name desc; name --------- mageia is awesome (3 rows) mydb=# mydb=# \q [postgres@localhost ~]$ dropdb mydb [postgres@localhost ~]$ 9.6.4 is working as designed
The following 17 packages are going to be installed: - glibc-devel-2.22-25.mga6.x86_64 - kernel-userspace-headers-4.9.43-1.mga6.x86_64 - lib64ecpg9.4_6-9.4.13-1.mga6.x86_64 - lib64openssl-devel-1.0.2l-1.mga6.x86_64 - lib64ossp_uuid16-1.6.2-16.mga6.x86_64 - lib64pq5.7-9.4.13-1.mga6.x86_64 - lib64zlib-devel-1.2.11-4.mga6.x86_64 - postgresql9.4-9.4.13-1.mga6.x86_64 - postgresql9.4-contrib-9.4.13-1.mga6.x86_64 - postgresql9.4-devel-9.4.13-1.mga6.x86_64 - postgresql9.4-docs-9.4.13-1.mga6.noarch - postgresql9.4-pl-9.4.13-1.mga6.x86_64 - postgresql9.4-plperl-9.4.13-1.mga6.x86_64 - postgresql9.4-plpgsql-9.4.13-1.mga6.x86_64 - postgresql9.4-plpython-9.4.13-1.mga6.x86_64 - postgresql9.4-pltcl-9.4.13-1.mga6.x86_64 - postgresql9.4-server-9.4.13-1.mga6.x86_64 61MB of additional disk space will be used. 14MB of packages will be retrieved. Is it ok to continue? – reboot – [brian@localhost ~]$ uname -a Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [brian@localhost ~]$ ps -ef | grep post postgres 1991 1 0 13:07 ? 00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432 postgres 1993 1991 0 13:07 ? 00:00:00 postgres: checkpointer process postgres 1994 1991 0 13:07 ? 00:00:00 postgres: writer process postgres 1995 1991 0 13:07 ? 00:00:00 postgres: wal writer process postgres 1996 1991 0 13:07 ? 00:00:00 postgres: autovacuum launcher process postgres 1997 1991 0 13:07 ? 00:00:00 postgres: stats collector process brian 2577 2506 0 13:07 pts/0 00:00:00 grep --color post – repeated [root@localhost brian]# su - postgres [postgres@localhost ~]$ psql mydb psql (9.4.13) Type "help" for help. mydb=# select * from brian; name --------- zname is awesome (3 rows) working as designed. mga6-64-ok
Whiteboard: MGA5TOO has_procedure MGA5-32-OK mga5-64-ok advisory => MGA5TOO has_procedure MGA5-32-OK mga5-64-ok mga6-64-ok advisory
@BrianR : Thanks for all your tests. Validating as this has 3/4 OKs, more than enough for present policy.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
verified mga6-32-ok on 9.6 [root@localhost brian]# su - postgres [postgres@localhost ~]$ createdb mydb [postgres@localhost ~]$ psql mydb psql (9.4.13) Type "help" for help. mydb=# create table b2(name varchar(20)); CREATE TABLE mydb=# insert into b2 values ('postgres is awesome'); INSERT 0 1 mydb=# select * from b2; name --------------------- postgres is awesome (1 row)
Whiteboard: MGA5TOO has_procedure MGA5-32-OK mga5-64-ok mga6-64-ok advisory => MGA5TOO has_procedure MGA5-32-OK mga5-64-ok mga6-64-ok mga6-32-ok advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0316.html
Status: NEW => RESOLVEDResolution: (none) => FIXED