PostgreSQL has released new versions on May 9: https://www.postgresql.org/about/news/1939/ The issues are fixed in 9.4.22, 9.6.13, and 11.3. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assinging to the postgresql11 maintainer. CC'ing the postgresql9.6 and postgresql9.4 maintainers, because this issue is valid for them, too.
Assignee: bugsquad => mageiaCC: (none) => cjw, joequant, marja11
Suggested advisory: ======================== Updated postgresql9.4 and postgresql9.4 packages fix security vulnerabilities: CVE-2019-10129: Memory disclosure in partition routing Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes of server memory by executing a purpose-crafted INSERT statement to a partitioned table. CVE-2019-10130: Selectivity estimators bypass row security policies PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user able to execute SQL queries with permissions to read a given column could craft a leaky operator that could read whatever data had been sampled from that column. If this happened to include values from rows that the user is forbidden to see by a row security policy, the user could effectively bypass the policy. This is fixed by only allowing a non-leakproof operator to use this data if there are no relevant row security policies for the table. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10130 Updated packages in core/updates_testing: ======================== 9.4.22: postgresql9.4-9.4.22-1.mga6 libpq5.7-9.4.22-1.mga6 libecpg9.4_6-9.4.22-1.mga6 postgresql9.4-server-9.4.22-1.mga6 postgresql9.4-docs-9.4.22-1.mga6 postgresql9.4-contrib-9.4.22-1.mga6 postgresql9.4-devel-9.4.22-1.mga6 postgresql9.4-pl-9.4.22-1.mga6 postgresql9.4-plpython-9.4.22-1.mga6 postgresql9.4-plperl-9.4.22-1.mga6 postgresql9.4-pltcl-9.4.22-1.mga6 postgresql9.4-plpgsql-9.4.22-1.mga6 postgresql9.4-debuginfo-9.4.22-1.mga6 9.6.13: postgresql9.6-9.6.13-3.mga6 libpq5-9.6.13-3.mga6 libecpg9.6_6-9.6.13-3.mga6 postgresql9.6-server-9.6.13-3.mga6 postgresql9.6-docs-9.6.13-3.mga6 postgresql9.6-contrib-9.6.13-3.mga6 postgresql9.6-devel-9.6.13-3.mga6 postgresql9.6-pl-9.6.13-3.mga6 postgresql9.6-plpython-9.6.13-3.mga6 postgresql9.6-plperl-9.6.13-3.mga6 postgresql9.6-pltcl-9.6.13-3.mga6 postgresql9.6-plpgsql-9.6.13-3.mga6 postgresql9.6-debuginfo-9.6.13-3.mga6 SRPM: postgresql9.4-9.4.22-1.mga6.src.rpm postgresql9.6-9.6.13-3.mga6.src.rpm
Assignee: mageia => qa-bugs
Thanks. Make sure they get moved to core/release for Cauldron.
CC: (none) => tmbWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Cauldron packages moved...
The following 18 packages are going to be installed: - glibc-devel-2.22-29.mga6.x86_64 - kernel-userspace-headers-4.14.121-1.mga6.x86_64 - lib64ecpg9.4_6-9.4.22-1.mga6.x86_64 - lib64openssl-devel-1.0.2r-1.mga6.x86_64 - lib64ossp_uuid16-1.6.2-16.mga6.x86_64 - lib64pq5.7-9.4.22-1.mga6.x86_64 - lib64zlib-devel-1.2.11-4.1.mga6.x86_64 - meta-task-6-3.3.mga6.noarch - postgresql9.4-9.4.22-1.mga6.x86_64 - postgresql9.4-contrib-9.4.22-1.mga6.x86_64 - postgresql9.4-devel-9.4.22-1.mga6.x86_64 - postgresql9.4-docs-9.4.22-1.mga6.noarch - postgresql9.4-pl-9.4.22-1.mga6.x86_64 - postgresql9.4-plperl-9.4.22-1.mga6.x86_64 - postgresql9.4-plpgsql-9.4.22-1.mga6.x86_64 - postgresql9.4-plpython-9.4.22-1.mga6.x86_64 - postgresql9.4-pltcl-9.4.22-1.mga6.x86_64 - postgresql9.4-server-9.4.22-1.mga6.x86_64 I started postgresql server # systemctl start postgresql after it started I su over to the postgres user-id # su postgres I created db brian $ createdb brian $ psql brian psql (9.4.22) Type "help" for help. brian=# select version(); version -------------------------------------------------------------------------------- ------------------- PostgreSQL 9.4.22 on x86_64-mageia-linux-gnu, compiled by gcc (Mageia 5.5.0-1.m ga6) 5.5.0, 64-bit (1 row) I was able to create a table, insert rows, delete and select rows. works as designed.
CC: (none) => brtians1
The following 17 packages are going to be installed: - glibc-devel-2.22-29.mga6.x86_64 - kernel-userspace-headers-4.14.121-1.mga6.x86_64 - lib64ecpg9.6_6-9.6.13-3.mga6.x86_64 - lib64openssl-devel-1.0.2r-1.mga6.x86_64 - lib64pq5-9.6.13-3.mga6.x86_64 - lib64zlib-devel-1.2.11-4.1.mga6.x86_64 - meta-task-6-3.3.mga6.noarch - postgresql9.6-9.6.13-3.mga6.x86_64 - postgresql9.6-contrib-9.6.13-3.mga6.x86_64 - postgresql9.6-devel-9.6.13-3.mga6.x86_64 - postgresql9.6-docs-9.6.13-3.mga6.noarch - postgresql9.6-pl-9.6.13-3.mga6.x86_64 - postgresql9.6-plperl-9.6.13-3.mga6.x86_64 - postgresql9.6-plpgsql-9.6.13-3.mga6.x86_64 - postgresql9.6-plpython-9.6.13-3.mga6.x86_64 - postgresql9.6-pltcl-9.6.13-3.mga6.x86_64 - postgresql9.6-server-9.6.13-3.mga6.x86_64 # createdb mag9622 createdb: could not connect to database template1: FATAL: role "root" does not exist [root@localhost postgres]# su postgres [postgres@localhost postgres]$ createdb mag9622 [postgres@localhost postgres]$ psql mag9622 psql (9.6.13) Type "help" for help. mag9622=# select version(); version -------------------------------------------------------------------------------- ------------------- PostgreSQL 9.6.13 on x86_64-mageia-linux-gnu, compiled by gcc (Mageia 5.5.0-1.m ga6) 5.5.0, 64-bit (1 row) created a table, inserted, deleted and selected from it. working so far.
I was able to set up nextcloud with 9.6.13 server and it is working as designed. Meaning it created the db, setup the user, and I've been able to add documents to a nextcloud repo. Working as designed - 64-bit is good.
Whiteboard: (none) => MGA6-64-OK
The following 18 packages are going to be installed: - glibc-devel-2.22-29.mga6.i586 - kernel-userspace-headers-4.14.121-1.mga6.i586 - libecpg9.4_6-9.4.22-1.mga6.i586 - libopenssl-devel-1.0.2r-1.mga6.i586 - libossp_uuid16-1.6.2-16.mga6.i586 - libpq5.7-9.4.22-1.mga6.i586 - libzlib-devel-1.2.11-4.1.mga6.i586 - meta-task-6-3.3.mga6.noarch - postgresql9.4-9.4.22-1.mga6.i586 - postgresql9.4-contrib-9.4.22-1.mga6.i586 - postgresql9.4-devel-9.4.22-1.mga6.i586 - postgresql9.4-docs-9.4.22-1.mga6.noarch - postgresql9.4-pl-9.4.22-1.mga6.i586 - postgresql9.4-plperl-9.4.22-1.mga6.i586 - postgresql9.4-plpgsql-9.4.22-1.mga6.i586 - postgresql9.4-plpython-9.4.22-1.mga6.i586 - postgresql9.4-pltcl-9.4.22-1.mga6.i586 - postgresql9.4-server-9.4.22-1.mga6.i586 I started the server with the command: # systemctl start postgresql # create table a32bit (name varchar(64)); CREATE TABLE # psql i586 i586=# insert into a32bit (name) values ('80386') i586-# ; INSERT 0 1 i586=# insert into a32bit (name) values ('80486') ; INSERT 0 1 i586=# insert into a32bit (name) values ('80586') ; INSERT 0 1 i586=# insert into a32bit (name) values ('cyrus') ; INSERT 0 1 i586=# insert into a32bit (name) values ('k6') ; INSERT 0 1 i586=# insert into a32bit (name) values ('Pentium') ; INSERT 0 1 i586=# select * from a32bit; name --------- 80386 80486 80586 cyrus k6 Pentium (6 rows) i586=# update a32bit set name = 'cyrix' where name = 'cyrus'; UPDATE 1 i586=# select * from a32bit; name --------- 80386 80486 80586 k6 Pentium cyrix (6 rows) seems to be working as designed.
Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 17 packages are going to be installed: - glibc-devel-2.22-29.mga6.i586 - kernel-userspace-headers-4.14.121-1.mga6.i586 - libecpg9.6_6-9.6.13-3.mga6.i586 - libopenssl-devel-1.0.2r-1.mga6.i586 - libpq5-9.6.13-3.mga6.i586 - libzlib-devel-1.2.11-4.1.mga6.i586 - meta-task-6-3.3.mga6.noarch - postgresql9.6-9.6.13-3.mga6.i586 - postgresql9.6-contrib-9.6.13-3.mga6.i586 - postgresql9.6-devel-9.6.13-3.mga6.i586 - postgresql9.6-docs-9.6.13-3.mga6.noarch - postgresql9.6-pl-9.6.13-3.mga6.i586 - postgresql9.6-plperl-9.6.13-3.mga6.i586 - postgresql9.6-plpgsql-9.6.13-3.mga6.i586 - postgresql9.6-plpython-9.6.13-3.mga6.i586 - postgresql9.6-pltcl-9.6.13-3.mga6.i586 - postgresql9.6-server-9.6.13-3.mga6.i586 I started the server and then proceeded to install nextcloud The following 44 packages are going to be installed: - apache-2.4.38-1.mga6.i586 - apache-mod_php-7.2.14-1.mga6.i586 - libapr-util1_0-1.5.4-8.mga6.i586 - libapr1_0-1.5.2-2.1.mga6.i586 - libmbfl1-1.3.2-1.mga6.i586 - libonig2-5.9.6-2.mga6.i586 - libphp_common7-7.2.14-1.mga6.i586 - libzip4-1.1.3-1.1.mga6.i586 - nextcloud-13.0.12-1.mga6.noarch - nextcloud-mysql-13.0.12-1.mga6.noarch - nextcloud-postgresql-13.0.12-1.mga6.noarch - php-cgi-7.2.14-1.mga6.i586 - php-ctype-7.2.14-1.mga6.i586 - php-curl-7.2.14-1.mga6.i586 - php-dom-7.2.14-1.mga6.i586 - php-exif-7.2.14-1.mga6.i586 - php-fileinfo-7.2.14-1.mga6.i586 - php-filter-7.2.14-1.mga6.i586 - php-ftp-7.2.14-1.mga6.i586 - php-gd-7.2.14-1.mga6.i586 - php-gettext-7.2.14-1.mga6.i586 - php-hash-7.2.14-1.mga6.i586 - php-iconv-7.2.14-1.mga6.i586 - php-ini-7.2.14-1.mga6.i586 - php-json-7.2.14-1.mga6.i586 - php-ldap-7.2.14-1.mga6.i586 - php-mbstring-7.2.14-1.mga6.i586 - php-mysqlnd-7.2.14-1.mga6.i586 - php-openssl-7.2.14-1.mga6.i586 - php-pcntl-7.2.14-1.mga6.i586 - php-pdo-7.2.14-1.mga6.i586 - php-pdo_mysql-7.2.14-1.mga6.i586 - php-pdo_pgsql-7.2.14-1.mga6.i586 - php-posix-7.2.14-1.mga6.i586 - php-session-7.2.14-1.mga6.i586 - php-sysvsem-7.2.14-1.mga6.i586 - php-sysvshm-7.2.14-1.mga6.i586 - php-tokenizer-7.2.14-1.mga6.i586 - php-xml-7.2.14-1.mga6.i586 - php-xmlreader-7.2.14-1.mga6.i586 - php-xmlwriter-7.2.14-1.mga6.i586 - php-zip-7.2.14-1.mga6.i586 - php-zlib-7.2.14-1.mga6.i586 - webserver-base-2.0-10.mga6.noarch I start the webservice # systemctl start httpd I go into the nextcloud page and start the intialization specifying postgresql Nextcloud is able to connect to postgres, create user, and tabels. working as designed.
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Thank you for your tests, Brian. Validating. Suggested advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Please remember to reset rel when bumping version... This package has "3" but the same package in Cauldron was at "1" causing upgrade failures... postgresql9.6-9.6.13-3.mga6 I've bumped rel in Cauldron to keep it working...
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0189.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED