PostgreSQL has released new versions on August 13: https://www.postgresql.org/about/news/2060/ The issues are fixed in 9.6.19, 11.9, and 12.4. Cauldron is affected (postgresql12 and postgresql11). Mageia 7 is also affected (postgresql11 and postgresql9.6). CVE-2020-14349 does not affect 9.6.
Whiteboard: (none) => MGA7TOO
Assigning globally as different people maintain the different versions; CC'ing the most visible ones.
Assignee: bugsquad => pkg-bugsCC: (none) => jani.valimaa, joequant, mageia
Suggested advisory: ======================== The updated packages fix security vulnerabilities: It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. (CVE-2020-14349) It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. (CVE-2020-14350) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14350 https://www.postgresql.org/about/news/2060/ ======================== Updated packages in core/updates_testing: ======================== postgresql9.6-9.6.19-1.mga7 lib(64)pq5.9-9.6.19-1.mga7 lib(64)ecpg9.6_6-9.6.19-1.mga7 postgresql9.6-server-9.6.19-1.mga7 postgresql9.6-docs-9.6.19-1.mga7 postgresql9.6-contrib-9.6.19-1.mga7 postgresql9.6-devel-9.6.19-1.mga7 postgresql9.6-pl-9.6.19-1.mga7 postgresql9.6-plpython-9.6.19-1.mga7 postgresql9.6-plperl-9.6.19-1.mga7 postgresql9.6-pltcl-9.6.19-1.mga7 postgresql9.6-plpgsql-9.6.19-1.mga7 postgresql11-11.9-1.mga7 lib(64)pq5-11.9-1.mga7 lib(64)ecpg11_6-11.9-1.mga7 postgresql11-server-11.9-1.mga7 postgresql11-docs-11.9-1.mga7 postgresql11-contrib-11.9-1.mga7 postgresql11-devel-11.9-1.mga7 postgresql11-pl-11.9-1.mga7 postgresql11-plpython-11.9-1.mga7 postgresql11-plpython3-11.9-1.mga7 postgresql11-plperl-11.9-1.mga7 postgresql11-pltcl-11.9-1.mga7 postgresql11-plpgsql-11.9-1.mga7 from SRPMS: postgresql9.6-9.6.19-1.mga7.src.rpm postgresql11-11.9-1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Status: NEW => ASSIGNEDSource RPM: postgresql9.6, postgresql11, postgresql12 => postgresql9.6, postgresql11CC: (none) => nicolas.salgueroCVE: (none) => CVE-2020-14349, CVE-2020-14350Assignee: pkg-bugs => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Test in two steps: first install version 9.6.19 over existing 9.6 Using pgadmin to create new database and new table with 4 columns: all OK. Reporting later on postgresql11
CC: (none) => herman.viaene
Installed version 11 which removed 9.6. Using pgadminthe database was preserved over the major update. I could delete the database which I created in Comment 3, define a new one, new table with 4 colums and a PK and a unique key Looks OK to me.
Whiteboard: (none) => MGA7-64-OK
CC: jani.valimaa => (none)
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0365.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED