PostgreSQL has released new versions today (February 13): https://www.postgresql.org/about/news/2011/ The issues are fixed in 9.6.17, 11.7, and 12.2. Cauldron is affected (postgresql12 and postgresql11). Mageia 7 is also affected (postgresql11 and postgresql9.6).
Whiteboard: (none) => MGA7TOO
Assigning to Joseph for 9.6 & 12; CC'ing Marc for 11.
Assignee: bugsquad => joequantCC: (none) => mageia
pushed all versions to build system, since it is currently very busy, it can take some time... @Joseph, do you want to take pg11 too? I was just helping out while you were unavailable.
Advisory: ======================== Updated postgresql9.6 and postgresql11 packages fix security vulnerability: The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION (CVE-2020-1720). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1720 https://www.postgresql.org/about/news/2011/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.6-9.6.17-1.mga7 libpq5.9-9.6.17-1.mga7 libecpg9.6_6-9.6.17-1.mga7 postgresql9.6-server-9.6.17-1.mga7 postgresql9.6-docs-9.6.17-1.mga7 postgresql9.6-contrib-9.6.17-1.mga7 postgresql9.6-devel-9.6.17-1.mga7 postgresql9.6-pl-9.6.17-1.mga7 postgresql9.6-plpython-9.6.17-1.mga7 postgresql9.6-plperl-9.6.17-1.mga7 postgresql9.6-pltcl-9.6.17-1.mga7 postgresql9.6-plpgsql-9.6.17-1.mga7 postgresql11-11.7-1.mga7 libpq5-11.7-1.mga7 libecpg11_6-11.7-1.mga7 postgresql11-server-11.7-1.mga7 postgresql11-docs-11.7-1.mga7 postgresql11-contrib-11.7-1.mga7 postgresql11-devel-11.7-1.mga7 postgresql11-pl-11.7-1.mga7 postgresql11-plpython-11.7-1.mga7 postgresql11-plpython3-11.7-1.mga7 postgresql11-plperl-11.7-1.mga7 postgresql11-pltcl-11.7-1.mga7 postgresql11-plpgsql-11.7-1.mga7 from SRPMS: postgresql9.6-9.6.17-1.mga7.src.rpm postgresql11-11.7-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: joequant => qa-bugsVersion: Cauldron => 7
MGA7-64 Plasma on Lenovo B50 Installation: I ccould not intall both 9.6 and 11 simultaneously, there was a problem with oneof the lib packages. So installed first the 9.6, together with pgadmin and phppgadmin. Used pgadmin after starting postgres to create a new database and in it a new table and a sequence, all seems to work OK. I will continue by trying to add version 11 or if necessary remove 9.6 and then install 11.
CC: (none) => herman.viaene
Installing postgres11 bumps out 9.6, but the database created with 9.6 survived and could be opened. Added another login role (phppgadmin does not allow the postgres user to login) in pgadmin and used then phppgamin to create a primary key for the table defined in the 9.6 test. Checked visibility in pgadmin of the changes made using phppgadmin. All looks OK. More tests needed for OK'ing???
Sounds good Herman.
Whiteboard: (none) => MGA7-64-OK
Validating, then. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0095.html
Status: NEW => RESOLVEDResolution: (none) => FIXED