PostgreSQL has released new versions on August 8: https://www.postgresql.org/about/news/1960/ The issues are fixed in 9.4.24, 9.6.15, and 11.5. Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to our registered maintainer of postgresql11 CC'ing our regigstered maintainers of postgresql9.4 and 9.6
CC: (none) => cjw, joequant, marja11Assignee: bugsquad => mageia
Suggested advisory: ======================== Updated postgresql9.4, postgresql9.6 postgresql11 packages fix security vulnerabilities: Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text) is exact. [1] Memory disclosure in cross-type comparison for hashed subplan: In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples. [2] This update also fixes over 40 bugs that were reported in the last several months. [3] References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10209 [3] https://www.postgresql.org/about/news/1960/ ======================== Updated packages in core/updates_testing: ======================== mga6: postgresql9.4-9.4.24-1.mga6 libpq5.7-9.4.24-1.mga6 libecpg9.4_6-9.4.24-1.mga6 postgresql9.4-server-9.4.24-1.mga6 postgresql9.4-docs-9.4.24-1.mga6.noarch postgresql9.4-contrib-9.4.24-1.mga6 postgresql9.4-devel-9.4.24-1.mga6 postgresql9.4-pl-9.4.24-1.mga6 postgresql9.4-plpython-9.4.24-1.mga6 postgresql9.4-plperl-9.4.24-1.mga6 postgresql9.4-pltcl-9.4.24-1.mga6 postgresql9.4-plpgsql-9.4.24-1.mga6 postgresql9.4-debuginfo-9.4.24-1.mga6 postgresql9.6-9.6.15-1.mga6 libpq5.9-9.6.15-1.mga6 libecpg9.6_6-9.6.15-1.mga6 postgresql9.6-server-9.6.15-1.mga6 postgresql9.6-docs-9.6.15-1.mga6 postgresql9.6-contrib-9.6.15-1.mga6 postgresql9.6-devel-9.6.15-1.mga6 postgresql9.6-pl-9.6.15-1.mga6 postgresql9.6-plpython-9.6.15-1.mga6 postgresql9.6-plperl-9.6.15-1.mga6 postgresql9.6-pltcl-9.6.15-1.mga6 postgresql9.6-plpgsql-9.6.15-1.mga6 postgresql9.6-debugsource-9.6.15-1.mga6 postgresql9.6-debuginfo-9.6.15-1.mga6 libpq5.9-debuginfo-9.6.15-1.mga6 libecpg9.6_6-debuginfo-9.6.15-1.mga6 postgresql9.6-server-debuginfo-9.6.15-1.mga6 postgresql9.6-contrib-debuginfo-9.6.15-1.mga6 postgresql9.6-devel-debuginfo-9.6.15-1.mga6 postgresql9.6-plpython-debuginfo-9.6.15-1.mga6 postgresql9.6-plperl-debuginfo-9.6.15-1.mga6 postgresql9.6-pltcl-debuginfo-9.6.15-1.mga6 postgresql9.6-plpgsql-debuginfo-9.6.15-1.mga6 mga7: postgresql9.6-9.6.15-1.mga7 libpq5.9-9.6.15-1.mga7 libecpg9.6_6-9.6.15-1.mga7 postgresql9.6-server-9.6.15-1.mga7 postgresql9.6-docs-9.6.15-1.mga7 postgresql9.6-contrib-9.6.15-1.mga7 postgresql9.6-devel-9.6.15-1.mga7 postgresql9.6-pl-9.6.15-1.mga7 postgresql9.6-plpython-9.6.15-1.mga7 postgresql9.6-plperl-9.6.15-1.mga7 postgresql9.6-pltcl-9.6.15-1.mga7 postgresql9.6-plpgsql-9.6.15-1.mga7 postgresql9.6-debugsource-9.6.15-1.mga7 postgresql9.6-debuginfo-9.6.15-1.mga7 libpq5.9-debuginfo-9.6.15-1.mga7 libecpg9.6_6-debuginfo-9.6.15-1.mga7 postgresql9.6-server-debuginfo-9.6.15-1.mga7 postgresql9.6-contrib-debuginfo-9.6.15-1.mga7 postgresql9.6-devel-debuginfo-9.6.15-1.mga7 postgresql9.6-plpython-debuginfo-9.6.15-1.mga7 postgresql9.6-plperl-debuginfo-9.6.15-1.mga7 postgresql9.6-pltcl-debuginfo-9.6.15-1.mga7 postgresql9.6-plpgsql-debuginfo-9.6.15-1.mga7 postgresql11-11.5-1.mga7 lib64pq5-11.5-1.mga7 lib64ecpg11_6-11.5-1.mga7 postgresql11-server-11.5-1.mga7 postgresql11-docs-11.5-1.mga7 postgresql11-contrib-11.5-1.mga7 postgresql11-devel-11.5-1.mga7 postgresql11-pl-11.5-1.mga7 postgresql11-plpython-11.5-1.mga7 postgresql11-plpython3-11.5-1.mga7 postgresql11-plperl-11.5-1.mga7 postgresql11-pltcl-11.5-1.mga7 postgresql11-plpgsql-11.5-1.mga7 postgresql11-debugsource-11.5-1.mga7 postgresql11-debuginfo-11.5-1.mga7 lib64pq5-debuginfo-11.5-1.mga7 lib64ecpg11_6-debuginfo-11.5-1.mga7 postgresql11-server-debuginfo-11.5-1.mga7 postgresql11-contrib-debuginfo-11.5-1.mga7 postgresql11-devel-debuginfo-11.5-1.mga7 postgresql11-plpython-debuginfo-11.5-1.mga7 postgresql11-plpython3-debuginfo-11.5-1.mga7 postgresql11-plperl-debuginfo-11.5-1.mga7 postgresql11-pltcl-debuginfo-11.5-1.mga7 postgresql11-plpgsql-debuginfo-11.5-1.mga7 Source RPMs: postgresql9.4-9.4.24-1.mga6.src.rpm postgresql9.6-9.6.15-1.mga6.src.rpm postgresql9.6-9.6.15-1.mga7.src.rpm postgresql11-11.5-1.mga7.src.rpm
Assignee: mageia => qa-bugs
Thanks. Feel free to remove postgresql9.6 from Cauldron, as it won't be shipped in Mageia 8. Advisory: ======================== Updated postgresql packages fix security vulnerabilities: Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text) is exact (CVE-2019-10208). In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples (CVE-2019-10209). This update also fixes over 40 bugs that were reported in the last several months. See the upstream release notes for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10209 https://www.postgresql.org/docs/9.4/release-9-4-24.html https://www.postgresql.org/docs/9.6/release-9-6-15.html https://www.postgresql.org/docs/11/release-11-5.html https://www.postgresql.org/about/news/1960/
Version: Cauldron => 7CC: (none) => mageiaWhiteboard: MGA7TOO, MGA6TOO => MGA6TOO
MGA7 - VM instance 64-bit Postgres 11-11.5.1 testing ug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-pl-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-devel-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plperl-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plpython-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plpython3-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-pltcl-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-contrib-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-docs-11.4-1.mga7.noarch: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-server-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-11.4-1.mga7.x86_64: success Aug 16 12:58:59 linux.local [RPM][2390]: erase postgresql11-plpgsql-11.4-1.mga7.x86_64: success Aug 16 12:59:03 linux.local [RPM][2390]: install postgresql11-11.5-1.mga7.x86_64: success Aug 16 12:59:04 linux.local [RPM][2390]: install postgresql11-plpgsql-11.5-1.mga7.x86_64: success Aug 16 12:59:09 linux.local systemd-tmpfiles[2510]: [/usr/lib/tmpfiles.d/postgresql.conf:1] Line references path below legacy directory /var/run/, updating /var/run/postgresql → /run/postgresql; please update the tmpfiles.d/ drop-in file accordingly. Aug 16 12:59:09 linux.local [RPM][2390]: install postgresql11-server-11.5-1.mga7.x86_64: success Aug 16 12:59:10 linux.local [RPM][2390]: install postgresql11-plpython-11.5-1.mga7.x86_64: success Aug 16 12:59:11 linux.local [RPM][2390]: install postgresql11-pltcl-11.5-1.mga7.x86_64: success Aug 16 12:59:11 linux.local [RPM][2390]: install postgresql11-plpython3-11.5-1.mga7.x86_64: success Aug 16 12:59:12 linux.local [RPM][2390]: install postgresql11-plperl-11.5-1.mga7.x86_64: success Aug 16 12:59:17 linux.local [RPM][2390]: install postgresql11-devel-11.5-1.mga7.x86_64: success Aug 16 12:59:17 linux.local [RPM][2390]: install postgresql11-pl-11.5-1.mga7.x86_64: success Aug 16 12:59:20 linux.local [RPM][2390]: install postgresql11-contrib-11.5-1.mga7.x86_64: success Aug 16 12:59:25 linux.local [RPM][2390]: install postgresql11-docs-11.5-1.mga7.noarch: success Aug 16 12:59:27 linux.local [RPM][2390]: erase postgresql11-pl-11.4-1.mga7.x86_64: success Aug 16 12:59:29 linux.local [RPM][2390]: erase postgresql11-devel-11.4-1.mga7.x86_64: success Aug 16 12:59:32 linux.local [RPM][2390]: erase postgresql11-plperl-11.4-1.mga7.x86_64: success Aug 16 12:59:33 linux.local [RPM][2390]: erase postgresql11-plpython-11.4-1.mga7.x86_64: success Aug 16 12:59:34 linux.local [RPM][2390]: erase postgresql11-plpython3-11.4-1.mga7.x86_64: success Aug 16 12:59:34 linux.local [RPM][2390]: erase postgresql11-pltcl-11.4-1.mga7.x86_64: success Aug 16 12:59:35 linux.local [RPM][2390]: erase postgresql11-contrib-11.4-1.mga7.x86_64: success Aug 16 12:59:36 linux.local [RPM][2390]: erase postgresql11-docs-11.4-1.mga7.noarch: success Aug 16 12:59:38 linux.local [RPM][2390]: erase postgresql11-server-11.4-1.mga7.x86_64: success Aug 16 12:59:39 linux.local [RPM][2390]: erase postgresql11-11.4-1.mga7.x86_64: success Aug 16 12:59:42 linux.local [RPM][2390]: erase postgresql11-plpgsql-11.4-1.mga7.x86_64: success Aug 16 12:59:43 linux.local systemd-tmpfiles[2549]: [/usr/lib/tmpfiles.d/postgresql.conf:1] Line references path below legacy directory /var/run/, updating /var/run/postgresql → /run/postgresql; please update the tmpfiles.d/ drop-in file accordingly. Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plpgsql-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-server-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plpython-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-pltcl-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plpython3-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-plperl-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-devel-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-pl-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-contrib-11.5-1.mga7.x86_64: success Aug 16 12:59:43 linux.local [RPM][2390]: install postgresql11-docs-11.5-1.mga7.noarch: success So, this is a replacement for postgres 11.4. I rebooted the system, started postgres services and enabled apache with nextcloud. Nextcloud worked as designed.
CC: (none) => brtians1
MGA7 - 64bit VM running GNOME $ uname -a Linux linux.local 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - glibc-devel-2.29-13.mga7.x86_64 - kernel-userspace-headers-5.2.7-1.mga7.x86_64 - lib64ecpg9.6_6-9.6.15-1.mga7.x86_64 - lib64openssl-devel-1.1.0j-1.mga7.x86_64 - lib64pq5.9-9.6.15-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch - postgresql9.6-9.6.15-1.mga7.x86_64 - postgresql9.6-contrib-9.6.15-1.mga7.x86_64 - postgresql9.6-devel-9.6.15-1.mga7.x86_64 - postgresql9.6-docs-9.6.15-1.mga7.noarch - postgresql9.6-pl-9.6.15-1.mga7.x86_64 - postgresql9.6-plperl-9.6.15-1.mga7.x86_64 - postgresql9.6-plpgsql-9.6.15-1.mga7.x86_64 - postgresql9.6-plpython-9.6.15-1.mga7.x86_64 - postgresql9.6-pltcl-9.6.15-1.mga7.x86_64 - postgresql9.6-server-9.6.15-1.mga7.x86_64 Afterwards I installed Nextcloud and configured it for postgres. It worked as designed. I was able to enable files. I'm giving mga7-64-ok
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
MGA6 - Xfce - x86_64 $ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - glibc-devel-2.22-29.mga6.x86_64 - kernel-userspace-headers-4.14.137-1.mga6.x86_64 - lib64ecpg9.4_6-9.4.24-1.mga6.x86_64 - lib64openssl-devel-1.0.2r-1.mga6.x86_64 - lib64ossp_uuid16-1.6.2-16.mga6.x86_64 - lib64pq5.7-9.4.24-1.mga6.x86_64 - lib64zlib-devel-1.2.11-4.1.mga6.x86_64 - postgresql9.4-9.4.24-1.mga6.x86_64 - postgresql9.4-contrib-9.4.24-1.mga6.x86_64 - postgresql9.4-devel-9.4.24-1.mga6.x86_64 - postgresql9.4-docs-9.4.24-1.mga6.noarch - postgresql9.4-pl-9.4.24-1.mga6.x86_64 - postgresql9.4-plperl-9.4.24-1.mga6.x86_64 - postgresql9.4-plpgsql-9.4.24-1.mga6.x86_64 - postgresql9.4-plpython-9.4.24-1.mga6.x86_64 - postgresql9.4-pltcl-9.4.24-1.mga6.x86_64 - postgresql9.4-server-9.4.24-1.mga6.x86_64 I installed nextcloud server and started all services. Able to add document - this is working as designed.
MGA6 - Xfce - x86_64 $ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Upgraded postgres from 9.4.9 to 9.6.15 after stopping all services, restarted and then tested again. Working as designed. - lib64ecpg9.6_6-9.6.15-1.mga6.x86_64 - postgresql9.6-9.6.15-1.mga6.x86_64 - postgresql9.6-contrib-9.6.15-1.mga6.x86_64 - postgresql9.6-devel-9.6.15-1.mga6.x86_64 - postgresql9.6-docs-9.6.15-1.mga6.noarch - postgresql9.6-pl-9.6.15-1.mga6.x86_64 - postgresql9.6-plperl-9.6.15-1.mga6.x86_64 - postgresql9.6-plpgsql-9.6.15-1.mga6.x86_64 - postgresql9.6-plpython-9.6.15-1.mga6.x86_64 - postgresql9.6-pltcl-9.6.15-1.mga6.x86_64 - postgresql9.6-server-9.6.15-1.mga6.x86_64
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK
$ uname -a Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:49:38 UTC 2019 i686 i686 i386 GNU/Linux - glibc-devel-2.29-13.mga7.i586 - kernel-userspace-headers-5.2.7-1.mga7.i586 - libecpg9.6_6-9.6.15-1.mga7.i586 - libopenssl-devel-1.1.0j-1.mga7.i586 - libpq5.9-9.6.15-1.mga7.i586 - libxcrypt-devel-4.4.6-1.mga7.i586 - libzlib-devel-1.2.11-7.mga7.i586 - multiarch-utils-1.0.14-2.mga7.noarch - postgresql9.6-9.6.15-1.mga7.i586 - postgresql9.6-contrib-9.6.15-1.mga7.i586 - postgresql9.6-devel-9.6.15-1.mga7.i586 - postgresql9.6-docs-9.6.15-1.mga7.noarch - postgresql9.6-pl-9.6.15-1.mga7.i586 - postgresql9.6-plperl-9.6.15-1.mga7.i586 - postgresql9.6-plpgsql-9.6.15-1.mga7.i586 - postgresql9.6-plpython-9.6.15-1.mga7.i586 - postgresql9.6-pltcl-9.6.15-1.mga7.i586 - postgresql9.6-server-9.6.15-1.mga7.i586 Services started properly. I installed Nextcloud and initialized it. Able to promoted documents Working as designed.
MGA7 - 32bit - Mate $ uname -a Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:49:38 UTC 2019 i686 i686 i386 GNU/Linux - libecpg11_6-11.5-1.mga7.i586 - postgresql11-11.5-1.mga7.i586 - postgresql11-contrib-11.5-1.mga7.i586 - postgresql11-devel-11.5-1.mga7.i586 - postgresql11-docs-11.5-1.mga7.noarch - postgresql11-pl-11.5-1.mga7.i586 - postgresql11-plperl-11.5-1.mga7.i586 - postgresql11-plpgsql-11.5-1.mga7.i586 - postgresql11-plpython-11.5-1.mga7.i586 - postgresql11-plpython3-11.5-1.mga7.i586 - postgresql11-pltcl-11.5-1.mga7.i586 - postgresql11-server-11.5-1.mga7.i586 started all of the services for postgres and http and ran Nextcloud Working as designed.
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK MGA7-32-OK
MGA6 - 32bit - Mate $ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux - glibc-devel-2.22-29.mga6.i586 - kernel-userspace-headers-4.14.137-1.mga6.i586 - libecpg9.6_6-9.6.15-1.mga6.i586 - libopenssl-devel-1.0.2r-1.mga6.i586 - libpq5-9.6.15-1.mga6.i586 - libzlib-devel-1.2.11-4.1.mga6.i586 - postgresql9.6-9.6.15-1.mga6.i586 - postgresql9.6-contrib-9.6.15-1.mga6.i586 - postgresql9.6-devel-9.6.15-1.mga6.i586 - postgresql9.6-docs-9.6.15-1.mga6.noarch - postgresql9.6-pl-9.6.15-1.mga6.i586 - postgresql9.6-plperl-9.6.15-1.mga6.i586 - postgresql9.6-plpgsql-9.6.15-1.mga6.i586 - postgresql9.6-plpython-9.6.15-1.mga6.i586 - postgresql9.6-pltcl-9.6.15-1.mga6.i586 - postgresql9.6-server-9.6.15-1.mga6.i586 repeated the routine of installing nextcloud and checking in files. worked as designed.
MGA6 - 32bit - Mate $ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux This time I was more selective for 9.4 - libossp_uuid16-1.6.2-16.mga6.i586 - libpq5.7-9.4.24-1.mga6.i586 - postgresql9.4-9.4.24-1.mga6.i586 - postgresql9.4-plpgsql-9.4.24-1.mga6.i586 - postgresql9.4-server-9.4.24-1.mga6.i586 installed nextcloud 13 - it worked without issue with postgres
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK MGA7-32-OK => MGA6TOO MGA7-64-OK MGA6-64-OK MGA7-32-OK MGA6-32-OK
Validating. Advisory in Comment 2, and revised in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0225.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED