Upstream has released new versions today (November 9): https://www.postgresql.org/about/news/1801/ The issues are fixed in 9.3.20, 9.4.15, and 9.6.6. Mageia 5 is also affected. Updated packages uploaded for Mageia 5 and Mageia 6. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18103#c6 Advisory: ======================== Updated postgresql packages fix security vulnerabilities: The startup log file for the postmaster (in newer releases, "postgres") process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data (CVE-2017-12172). Crash due to rowtype mismatch in json{b}_populate_recordset(). These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well (CVE-2017-15098). The "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update (CVE-2017-15099). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15099 https://www.postgresql.org/docs/9.3/static/release-9-3-20.html https://www.postgresql.org/docs/9.4/static/release-9-4-15.html https://www.postgresql.org/docs/9.6/static/release-9-6-6.html https://www.postgresql.org/about/news/1801/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.3-9.3.20-1.mga5 libpq9.3_5.6-9.3.20-1.mga5 libecpg9.3_6-9.3.20-1.mga5 postgresql9.3-server-9.3.20-1.mga5 postgresql9.3-docs-9.3.20-1.mga5 postgresql9.3-contrib-9.3.20-1.mga5 postgresql9.3-devel-9.3.20-1.mga5 postgresql9.3-pl-9.3.20-1.mga5 postgresql9.3-plpython-9.3.20-1.mga5 postgresql9.3-plperl-9.3.20-1.mga5 postgresql9.3-pltcl-9.3.20-1.mga5 postgresql9.3-plpgsql-9.3.20-1.mga5 postgresql9.4-9.4.15-1.mga5 libpq5-9.4.15-1.mga5 libecpg9.4_6-9.4.15-1.mga5 postgresql9.4-server-9.4.15-1.mga5 postgresql9.4-docs-9.4.15-1.mga5 postgresql9.4-contrib-9.4.15-1.mga5 postgresql9.4-devel-9.4.15-1.mga5 postgresql9.4-pl-9.4.15-1.mga5 postgresql9.4-plpython-9.4.15-1.mga5 postgresql9.4-plperl-9.4.15-1.mga5 postgresql9.4-pltcl-9.4.15-1.mga5 postgresql9.4-plpgsql-9.4.15-1.mga5 postgresql9.4-9.4.15-1.mga6 libpq5.7-9.4.15-1.mga6 libecpg9.4_6-9.4.15-1.mga6 postgresql9.4-server-9.4.15-1.mga6 postgresql9.4-docs-9.4.15-1.mga6 postgresql9.4-contrib-9.4.15-1.mga6 postgresql9.4-devel-9.4.15-1.mga6 postgresql9.4-pl-9.4.15-1.mga6 postgresql9.4-plpython-9.4.15-1.mga6 postgresql9.4-plperl-9.4.15-1.mga6 postgresql9.4-pltcl-9.4.15-1.mga6 postgresql9.4-plpgsql-9.4.15-1.mga6 postgresql9.6-9.6.6-1.mga6 libpq5-9.6.6-1.mga6 libecpg9.6_6-9.6.6-1.mga6 postgresql9.6-server-9.6.6-1.mga6 postgresql9.6-docs-9.6.6-1.mga6 postgresql9.6-contrib-9.6.6-1.mga6 postgresql9.6-devel-9.6.6-1.mga6 postgresql9.6-pl-9.6.6-1.mga6 postgresql9.6-plpython-9.6.6-1.mga6 postgresql9.6-plperl-9.6.6-1.mga6 postgresql9.6-pltcl-9.6.6-1.mga6 postgresql9.6-plpgsql-9.6.6-1.mga6 from SRPMS: postgresql9.3-9.3.20-1.mga5.src.rpm postgresql9.4-9.4.15-1.mga5.src.rpm postgresql9.4-9.4.15-1.mga6.src.rpm postgresql9.6-9.6.6-1.mga6.src.rpm
They don't build in Cauldron due to breakage in the osx command (opensp package). CC'ing Guillaume who changed opensp in Cauldron.
CC: (none) => cjw, guillomovitchWhiteboard: (none) => MGA5TOOKeywords: (none) => has_procedure
Debian has issued advisories for this on November 9: https://www.debian.org/security/2017/dsa-4028 https://www.debian.org/security/2017/dsa-4027 They also had this one. I don't think we have these commands packaged, but hopefully Christiaan can confirm it's not relevant for us: https://www.debian.org/security/2017/dsa-4029
(In reply to David Walser from comment #2) > They also had this one. I don't think we have these commands packaged, but > hopefully Christiaan can confirm it's not relevant for us: > https://www.debian.org/security/2017/dsa-4029 Also seen here with another CVE: https://usn.ubuntu.com/usn/usn-3476-1/ but it does appear to be a Debian-specific thing.
MGA5-32 on Asus A6000VM Xfce Installed 9.4.15-1 over existing 9.4.13-1 Existing test database intact and working. Could create new database and new table in it.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
The docbook nightmare never ends... I just fixed the docbook-dtds package, you should be able to rebuild postgresql in cauldron now.
Keywords: (none) => advisory
MGA5-64 on Lenovo B50 KDE No installation issues Using phppgadmin first threw "Login disallowed for security reasons." Setting $conf['extra_login_security'] = false; in /etc/phppgadmin/conf.inc.php solved this. Postgres was installed before, so I could use the existing database. Then I could create a table in the public schema, create a new schema anda table in that one. All seems OK.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
Testing M6/64 AFTER update for: postgresql9.6-plpgsql-9.6.6-1.mga6 postgresql9.6-9.6.6-1.mga6 postgresql9.6-server-9.6.6-1.mga6 lib64pq5-9.6.6-1.mga6 To drive this, I used: pgAdmin3, MediaWiki, Bugzilla pgAdmin3: I could create a database, add tables, alter them, delete them; same for columns. Unable to add any data because I could *not* find how to define table primary keys with it - a prerequisite. MediaWiki, Bugzilla: Added and edited entitites; all seemed OK. I am OKing & validating this because Herman covered M5 and Postgres 9.4, here M6 and Postgres 9.6. If anyone wants also M5/Postgres 9.3 and M6/Postgres 9.4, please shout & unvalidate.
CC: (none) => lewyssmith, sysadmin-bugsWhiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0428.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED