Bug 27017 - postgresql-jdbc new security issue CVE-2020-13692
Summary: postgresql-jdbc new security issue CVE-2020-13692
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Reported: 2020-07-29 21:14 CEST by David Walser
Modified: 2020-08-11 02:00 CEST (History)
4 users (show)

See Also:
Source RPM: postgresql-jdbc-42.2.5-1.mga7.src.rpm
Status comment:


Description David Walser 2020-07-29 21:14:36 CEST
RedHat has issued an advisory on July 28:

The issue is fixed upstream in 42.2.13.

Cauldron has been updated.

Fedora backported a patch to 42.2.12, but it doesn't apply to 42.2.5:
Comment 1 David Walser 2020-07-29 21:16:24 CEST
RHEL8 patched 42.2.3 in the advisory in Comment 0.  It does apply:
Comment 2 David Walser 2020-07-29 21:22:33 CEST

Updated postgresql-jdbc packages fix security vulnerability:

XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692).


Updated packages in core/updates_testing:

from postgresql-jdbc-42.2.5-1.1.mga7.src.rpm

Assignee: java => qa-bugs

Comment 3 David Walser 2020-07-29 21:22:53 CEST
Full details of this vulnerability are here:
Comment 4 Herman Viaene 2020-08-03 11:08:15 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Trying to make a connection to postgres running on my desktop PC, but I don't feel like installing a full java development configuration.
Trying to make a libreoffice connection, but I am not sure this would be using then package?

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2020-08-03 12:23:15 CEST
Got the libreoffice connection working, but it does not use anything of the files under test.
Giving up on clean install.
Comment 6 Brian Rockwell 2020-08-05 05:33:32 CEST
- Set up Postgresql 11 server on a VM
- wrote a short test piece of code in java and compiled it.

 java -cp .:/usr/share/java/postgresql-jdbc.jar postMain
Connected to the PostgreSQL server successfully.
row count3

Ran it before and after the update.  In both cases the jdbc driver was working.  I did not test the vulnerability as that is a bit more indepth than I have bandwidth for.

Works for me.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-08-11 02:00:31 CEST
We'll go with it. Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Note You need to log in before you can comment on or make changes to this bug.