RedHat has issued an advisory on July 28: https://access.redhat.com/errata/RHSA-2020:3176 The issue is fixed upstream in 42.2.13. Cauldron has been updated. Fedora backported a patch to 42.2.12, but it doesn't apply to 42.2.5: https://src.fedoraproject.org/rpms/postgresql-jdbc/c/d23878b27a45138f1b5ed3bfbd51b99060b59551?branch=master
RHEL8 patched 42.2.3 in the advisory in Comment 0. It does apply: https://git.centos.org/rpms/postgresql-jdbc/c/50b54c6ba11f28b6dfa39c373a00789dcbdf54b2?branch=c8
Advisory: ======================== Updated postgresql-jdbc packages fix security vulnerability: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13692 https://access.redhat.com/errata/RHSA-2020:3176 ======================== Updated packages in core/updates_testing: ======================== postgresql-jdbc-42.2.5-1.1.mga7 postgresql-jdbc-javadoc-42.2.5-1.1.mga7 from postgresql-jdbc-42.2.5-1.1.mga7.src.rpm
Assignee: java => qa-bugs
Full details of this vulnerability are here: https://blog.daviddworken.com/posts/pgjdbc-xxe/
MGA7-64 Plasma on Lenovo B50 No installation issues. Trying to make a connection to postgres running on my desktop PC, but I don't feel like installing a full java development configuration. Trying to make a libreoffice connection, but I am not sure this would be using then package?
CC: (none) => herman.viaene
Got the libreoffice connection working, but it does not use anything of the files under test. Giving up on clean install.
- Set up Postgresql 11 server on a VM - wrote a short test piece of code in java and compiled it. java -cp .:/usr/share/java/postgresql-jdbc.jar postMain Connected to the PostgreSQL server successfully. row count3 Ran it before and after the update. In both cases the jdbc driver was working. I did not test the vulnerability as that is a bit more indepth than I have bandwidth for. Works for me.
CC: (none) => brtians1Whiteboard: (none) => MGA7-64-OK
We'll go with it. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0319.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED