PostgreSQL has released new versions on March 1: https://www.postgresql.org/about/news/1834/ The issues are fixed in 9.3.22, 9.4.17, and 9.6.8. Mageia 5 and Mageia 6 are also affected. If our Bugzilla is running Mageia 6 now, I don't plan on updating Mageia 5 again.
Whiteboard: (none) => MGA6TOO
It sounds like it was primarily a documentation update to address this issue and mitigating the security issue requires manual intervention. That should be made clear in the advisory.
(In reply to David Walser from comment #0) > PostgreSQL has released new versions on March 1: > If our Bugzilla is running Mageia 6 now, I don't plan on updating Mageia 5 > again. Yep, the whole mga infra is running on mga6
CC: (none) => tmb
(In reply to Thomas Backlund from comment #2) > Yep, the whole mga infra is running on mga6 OK, cool. Just to be clear I just meant for this package, but this will further limit what other packages I might update as well. Also, since this bug report hasn't made it clear, postgresql9.4 is only for Mageia 6, postgresql9.6 is in Mageia 6 and Cauldron.
(In reply to David Walser from comment #3) > > Also, since this bug report hasn't made it clear, postgresql9.4 is only for > Mageia 6, postgresql9.6 is in Mageia 6 and Cauldron. Assigning to the registered postgresql9.6 maintainer and CC'ing the postgresql9.4 maintainer.
Assignee: bugsquad => joequantCC: (none) => cjw, marja11
Ubuntu has issued an advisory for this on March 6: https://usn.ubuntu.com/3589-1/
Status comment: (none) => Fixed upstream in 9.4.17 and 9.6.8
PostgreSQL has released new versions on May 10: https://www.postgresql.org/about/news/1851/ The new security issue only affected 9.6.x (fixed in 9.6.9). 9.4.18 is a bugfix release. Fully dealing with the security issue again requires manual intervention, which should be mentioned in our advisory.
Status comment: Fixed upstream in 9.4.17 and 9.6.8 => Fixed upstream in 9.4.17 and 9.6.9Summary: postgresql new security issue CVE-2018-1058 => postgresql new security issues CVE-2018-1058 and CVE-2018-1115
openSUSE has issued an advisory for the newer issue on June 16: https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00029.html
PostgreSQL has released new versions today (August 9): https://www.postgresql.org/about/news/1878/ The issues are fixed in 9.3.24, 9.4.19, and 9.6.10.
Status comment: Fixed upstream in 9.4.17 and 9.6.9 => Fixed upstream in 9.4.19 and 9.6.10Summary: postgresql new security issues CVE-2018-1058 and CVE-2018-1115 => postgresql new security issues CVE-2018-1058, CVE-2018-1115, CVE-2018-109[12]5
Debian has issued an advisory on August 10 for the new issues: https://www.debian.org/security/2018/dsa-4269
Another reason to upgrade PostgreSQL, is that the dump format of pg_dump has been incremented to fix CVE-2018-1058. So if you try to import in mageia a dump (other than plain SQL) made by an up to date pg_dump, you get the error: pg_restore: [archiver] unsupported version (1.13) in file header see https://stackoverflow.com/q/49064209
CC: (none) => r.h.michel+mageia
There is something weird with postgresql9.6 for mga6: I made an update of the spec to bump the tag (as we had version 9.6.7 as package, while 9.6.10 is in svn), but I still build the 9.6.7 version, not the 9.6.10 one: [bruno@bf3bda9aa9dd postgresql9.6]$ svn ci -m 'SILENT: bump tag' Sending SPECS/postgresql9.6.spec Transmitting file data .done Committing transaction... Committed revision 1321232. [bruno@bf3bda9aa9dd postgresql9.6]$ mgarepo submit 6/postgresql9.6 --define section=core/updates_testing -t 6 Fetching revision... URL: svn+ssh://svn.mageia.org/svn/packages/updates/6/postgresql9.6 Commit: 1200213 | luigiwalser | 9.6.7 (fixes CVE-2018-1052 and CVE-2018-1053) Package submitted! Whereas it should submit revision 1321232 instead. Anybody knows what happens here ?
CC: (none) => bruno
Check your checkout. You might have accidentally checked out the Cauldron SVN branch.
Of course, you're right :-( Back to the update then...
Status: NEW => ASSIGNED
Assignee: joequant => bruno
cauldron is already updated with 9.6.10
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
mga6 is also now updated with 9.6.10 (postgresql9.6-9.6.10-3.mga6.src.rpm)
Assignee: bruno => qa-bugs
We're not even close. postgresql10 is packaged totally incorrectly in Cauldron and looks like it was based on Fedora's postgresql packages instead of ours, so it needs to be redone, and in doing so postgresql9.6 was incorrectly removed, so it needs to be restored, this update was built with 3 instead of 1 as the release tag (although we can potentially live with that), and postgresql9.4 hasn't been updated.
Assignee: qa-bugs => brunoCC: (none) => qa-bugsVersion: 6 => Cauldron
I thought postgresql9.4 was for mga5 but I now realize it's also provided for mga6 and cauldron :-( Will try to upgrade these as well. I've submitted again 9.6 into cauldron. Wrt 10 I've not worked on it so can't comment.
Hummmm, for cauldron: $ mgarepo co postgresql9.4 svn: E170000: URL 'svn+ssh://svn.mageia.org/svn/packages/cauldron/postgresql9.4/current' doesn't exist I was thinking it was provided as I had remaining packages in my mirror: /pub/mageia/distrib/cauldron/x86_64/media/debug/core/release/postgresql9.4-server-debuginfo-9.4.15-2.mga7.x86_64.rpm [...] So I guess we removed support of that version for cauldron/mga7 and that these packages will be cleaned up one day. Will work on mga6 then.
Whoa, careful there :o) postgresql9.4 is only for Mageia 6 and has been removed from Cauldron. It was removed by task-obsolete, but a mistake was made in the library major, so a couple libraries haven't been deleted yet (so the SRPM hasn't been either), but the next time task-obsolete is pushed it should take care of that. I believe postgresql10 in Cauldron was done by Joseph Wang who frequently violates our packaging policies and incorrectly imports things without modification from Fedora. Thanks for re-pushing postgresql9.6, but postgresql10 will need to be fixed.
(In reply to Bruno Cornec from comment #17) > I've submitted again 9.6 into cauldron. Wrt 10 I've not worked on it so > can't comment. Didn't work, upload rejected. I just remembered the reason is that the packaging of postgresql9.6 also needs to be adapted (like 9.4 in mga6 for instance) for the fact that it's no longer the primary postgresql package.
Ok, will look at that for 9.6 Meanwhile Jospeh answered for 10 on the dev ML and I've pushed 9.4.19 to mga6.
According to tmb, PostgreSQL 11 is out, so it should be imported (correctly this time, based on Mageia's packaging) and replace 10. Thanks for your work on this. Advisory: ======================== Updated postgresql packages fix security vulnerabilities: A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database (CVE-2018-1058). Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects (CVE-2018-10915). It was discovered that some "CREATE TABLE" statements could disclose server memory (CVE-2018-10925). Fully fixing these security issues requires manual intervention. See the upstream advisories for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925 https://www.postgresql.org/docs/9.4/static/release-9-4-17.html https://www.postgresql.org/docs/9.4/static/release-9-4-18.html https://www.postgresql.org/docs/9.4/static/release-9-4-19.html https://www.postgresql.org/docs/9.6/static/release-9-6-8.html https://www.postgresql.org/docs/9.6/static/release-9-6-9.html https://www.postgresql.org/docs/9.6/static/release-9-6-10.html https://www.postgresql.org/about/news/1834/ https://www.postgresql.org/about/news/1851/ https://www.postgresql.org/about/news/1878/ https://www.debian.org/security/2018/dsa-4269 ======================== Updated packages in core/updates_testing: ======================== postgresql9.4-9.4.19-1.mga6 libpq5.7-9.4.19-1.mga6 libecpg9.4_6-9.4.19-1.mga6 postgresql9.4-server-9.4.19-1.mga6 postgresql9.4-docs-9.4.19-1.mga6 postgresql9.4-contrib-9.4.19-1.mga6 postgresql9.4-devel-9.4.19-1.mga6 postgresql9.4-pl-9.4.19-1.mga6 postgresql9.4-plpython-9.4.19-1.mga6 postgresql9.4-plperl-9.4.19-1.mga6 postgresql9.4-pltcl-9.4.19-1.mga6 postgresql9.4-plpgsql-9.4.19-1.mga6 postgresql9.6-9.6.10-3.mga6 lib64pq5-9.6.10-3.mga6 lib64ecpg9.6_6-9.6.10-3.mga6 postgresql9.6-server-9.6.10-3.mga6 postgresql9.6-docs-9.6.10-3.mga6 postgresql9.6-contrib-9.6.10-3.mga6 postgresql9.6-devel-9.6.10-3.mga6 postgresql9.6-pl-9.6.10-3.mga6 postgresql9.6-plpython-9.6.10-3.mga6 postgresql9.6-plperl-9.6.10-3.mga6 postgresql9.6-pltcl-9.6.10-3.mga6 postgresql9.6-plpgsql-9.6.10-3.mga6 from SRPMS: postgresql9.4-9.4.19-1.mga6.src.rpm postgresql9.6-9.6.10-3.mga6.src.rpm
CC: qa-bugs => (none)Assignee: bruno => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
So to recap: 9.6.10 is now uploaded into mga6 and cauldron (for it I made the same adaptations as what was done for 9.4 as it's not the main version anymore) 9.4.19 is now uploaded into mga6 Wrt pg10, I think it's worth a separate BR, as this one is only on the security of the 2 previous versions, and that should not interfere with our ability to provide the quickest security updates we can.
So as David mentioned, let's integrate pg11 (not necessarily me !) and split that from this BR.
Bug 23732 for pg10/11.
MGA6-64 Plasma on LenovoB50 Installed postgres9.6.10without issues ove pevious versions. Postgrres runs OK, I coulld access my test databaase, createanew table in it and delete a previous test table. Seems OK.
CC: (none) => herman.viaene
$ uname -a Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:41:16 UTC 2018 i686 i686 i686 GNU/Linux The following 15 packages are going to be installed: - libecpg9.4_6-9.4.19-1.mga6.i586 - libopenssl-devel-1.0.2p-1.mga6.i586 - libossp_uuid16-1.6.2-16.mga6.i586 - libpq5.7-9.4.19-1.mga6.i586 - libzlib-devel-1.2.11-4.1.mga6.i586 - postgresql9.4-9.4.19-1.mga6.i586 - postgresql9.4-contrib-9.4.19-1.mga6.i586 - postgresql9.4-devel-9.4.19-1.mga6.i586 - postgresql9.4-docs-9.4.19-1.mga6.noarch - postgresql9.4-pl-9.4.19-1.mga6.i586 - postgresql9.4-plperl-9.4.19-1.mga6.i586 - postgresql9.4-plpgsql-9.4.19-1.mga6.i586 - postgresql9.4-plpython-9.4.19-1.mga6.i586 - postgresql9.4-pltcl-9.4.19-1.mga6.i586 - postgresql9.4-server-9.4.19-1.mga6.i586 51MB of additional disk space will be used. Rebooted su'd into postgres ID from root Created database using the command $ createdb mydb logged into database $ psql mydb created a table mydb=# create table mga (vname varchar(65), version float); inserted some rows with the command: mydb=# insert into mga values ('Mageia', 1); selected some rows mydb=# select * from mga; vname | version ----------+--------- Mageia | 1 Ubuntu | 6.06 Mandrake | 100 Debian | 12 (4 rows) created an index on the table mydb=# create index mgai on mga (vname); Did another select. 9.4.9.4.19-1 Seems to be working as designed
CC: (none) => brtians1
@Brian, comment #27. Good work Brian. Thanks. You should add the 64-bit OK. Doing it for you just now.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
$ uname -a Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:41:16 UTC 2018 i686 i686 i686 GNU/Linux The following 16 packages are going to be installed: - glibc-devel-2.22-29.mga6.i586 - kernel-userspace-headers-4.14.78-1.mga6.i586 - libecpg9.6_6-9.6.10-3.mga6.i586 - libopenssl-devel-1.0.2p-1.mga6.i586 - libpq5-9.6.10-3.mga6.i586 - libzlib-devel-1.2.11-4.1.mga6.i586 - postgresql9.6-9.6.10-3.mga6.i586 - postgresql9.6-contrib-9.6.10-3.mga6.i586 - postgresql9.6-devel-9.6.10-3.mga6.i586 - postgresql9.6-docs-9.6.10-3.mga6.noarch - postgresql9.6-pl-9.6.10-3.mga6.i586 - postgresql9.6-plperl-9.6.10-3.mga6.i586 - postgresql9.6-plpgsql-9.6.10-3.mga6.i586 - postgresql9.6-plpython-9.6.10-3.mga6.i586 - postgresql9.6-pltcl-9.6.10-3.mga6.i586 - postgresql9.6-server-9.6.10-3.mga6.i586 67MB of additional disk space will be used. Followed the same scenario as before. Working as designed for mga6-32 and postgres 9.6
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Thanks, Brian, Len, Herman. Validating. Advisory in Comment 22. (I think)
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory from comment 22; but, @ David: the description does not mention CVE-2018-1115.
Keywords: (none) => advisoryCC: (none) => lewyssmith
Yeah lemme fix that. I'll repost later.
Advisory: ======================== Updated postgresql packages fix security vulnerabilities: A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database (CVE-2018-1058). Postgresql 9.6.x before 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation (CVE-2018-1115). Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects (CVE-2018-10915). It was discovered that some "CREATE TABLE" statements could disclose server memory (CVE-2018-10925). Fully fixing these security issues requires manual intervention. See the upstream advisories for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925 https://www.postgresql.org/docs/9.4/static/release-9-4-17.html https://www.postgresql.org/docs/9.4/static/release-9-4-18.html https://www.postgresql.org/docs/9.4/static/release-9-4-19.html https://www.postgresql.org/docs/9.6/static/release-9-6-8.html https://www.postgresql.org/docs/9.6/static/release-9-6-9.html https://www.postgresql.org/docs/9.6/static/release-9-6-10.html https://www.postgresql.org/about/news/1834/ https://www.postgresql.org/about/news/1851/ https://www.postgresql.org/about/news/1878/ https://www.debian.org/security/2018/dsa-4269
Keywords: advisory => (none)
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0446.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED