PostgreSQL has released new versions on February 8: https://www.postgresql.org/about/news/1829/ The issues are fixed in 9.3.21, 9.4.16, and 9.6.7. Mageia 5 is also affected. Updated packages uploaded for Mageia 6 and Cauldron. Advisory: ======================== Updated postgresql packages fix security vulnerabilities: In postgresql 9.4.x before 9.4.16 and 9.6.x before 9.6.7, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file (CVE-2018-1053). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1053 https://www.postgresql.org/docs/9.4/static/release-9-4-16.html https://www.postgresql.org/docs/9.6/static/release-9-6-7.html https://www.postgresql.org/about/news/1829/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.4-9.4.16-1.mga6 libpq5.7-9.4.16-1.mga6 libecpg9.4_6-9.4.16-1.mga6 postgresql9.4-server-9.4.16-1.mga6 postgresql9.4-docs-9.4.16-1.mga6 postgresql9.4-contrib-9.4.16-1.mga6 postgresql9.4-devel-9.4.16-1.mga6 postgresql9.4-pl-9.4.16-1.mga6 postgresql9.4-plpython-9.4.16-1.mga6 postgresql9.4-plperl-9.4.16-1.mga6 postgresql9.4-pltcl-9.4.16-1.mga6 postgresql9.4-plpgsql-9.4.16-1.mga6 postgresql9.6-9.6.7-1.mga6 libpq5-9.6.7-1.mga6 libecpg9.6_6-9.6.7-1.mga6 postgresql9.6-server-9.6.7-1.mga6 postgresql9.6-docs-9.6.7-1.mga6 postgresql9.6-contrib-9.6.7-1.mga6 postgresql9.6-devel-9.6.7-1.mga6 postgresql9.6-pl-9.6.7-1.mga6 postgresql9.6-plpython-9.6.7-1.mga6 postgresql9.6-plperl-9.6.7-1.mga6 postgresql9.6-pltcl-9.6.7-1.mga6 postgresql9.6-plpgsql-9.6.7-1.mga6 from SRPMS: postgresql9.4-9.4.16-1.mga6.src.rpm postgresql9.6-9.6.7-1.mga6.src.rpm
Keywords: (none) => has_procedure
So I found out that our Bugzilla runs on postgresql9.4, so I am *only* updating that for Mageia 5, not postgresql9.3. Advisory addendum: Note that on Mageia 5, only the postgresql9.4 update is being provided. Users of the postgresql9.3 package should migrate to 9.4. postgresql9.4-9.4.16-1.mga5 libpq5-9.4.16-1.mga5 libecpg9.4_6-9.4.16-1.mga5 postgresql9.4-server-9.4.16-1.mga5 postgresql9.4-docs-9.4.16-1.mga5 postgresql9.4-contrib-9.4.16-1.mga5 postgresql9.4-devel-9.4.16-1.mga5 postgresql9.4-pl-9.4.16-1.mga5 postgresql9.4-plpython-9.4.16-1.mga5 postgresql9.4-plperl-9.4.16-1.mga5 postgresql9.4-pltcl-9.4.16-1.mga5 postgresql9.4-plpgsql-9.4.16-1.mga5 from postgresql9.4-9.4.16-1.mga5.src.rpm
Whiteboard: (none) => MGA5TOO
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Installation over existing 9.4.15. Ref to bug 22556 Comment 6: Using phppgadmin first threw "Login disallowed for security reasons." Setting $conf['extra_login_security'] = false; in /etc/phppgadmin/conf.inc.php solved this. Created new schema, new table , all OK.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
MGA6-32 on Dell Latitude D600 No installation issues for 9.6. did not have a previous version. Used pgadmin3 to test. This one warns that different options have not been installed. Continuing. Able to define a new database, a new login role, a new schema and a new table in it. Added columns to the table, and added a primary and unique key to it. During this last two operations, warning windows came up, but allowed to continue. I was able to finish all operations with success.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK
This just needs a 9.4 test for mga6
CC: (none) => davidwhodginsKeywords: (none) => advisory
9.4 tested on m6 using pgadmin3 to create a login role, a db, etc.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0137.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED