PostgreSQL has released new versions on February 11: https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/ The issues are fixed in 11.11, and 13.2. Cauldron and Mageia 8 are affected (postgresql13 and postgresql11). Mageia 7 is also affected (postgresql11). CVE-2021-20229 only affects postgresql13. The two CVEs do not affect 9.6 but 9.6.21 contains other bug fixes.
Whiteboard: (none) => MGA8TOO, MGA7TOOSource RPM: (none) => postgresql9.6, postgresql11, postgresql13CVE: (none) => CVE-2021-20229, CVE-2021-3393
Various packagers are involved, who are CC'd while nominally assigning this globally.
Assignee: bugsquad => pkg-bugsCC: (none) => joequant, mageia, nicolas.salguero
CC: mageia => (none)
Ubuntu has issued an advisory for this on February 15: https://ubuntu.com/security/notices/USN-4735-1
Severity: normal => major
src: - mageia 7 - postgresql9.6-9.6.21-1.mga7 - postgresql11-11.11-1.mga7 - mageia 8 - postgresql11-11.11-1.mga8 - postgresql13-13.2-1.mga8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOCC: (none) => mageiaAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 8
RPMS list: postgresql9.6-9.6.21-1.mga7 libpq5.9-9.6.21-1.mga7 libecpg9.6_6-9.6.21-1.mga7 postgresql9.6-server-9.6.21-1.mga7 postgresql9.6-docs-9.6.21-1.mga7 postgresql9.6-contrib-9.6.21-1.mga7 postgresql9.6-devel-9.6.21-1.mga7 postgresql9.6-pl-9.6.21-1.mga7 postgresql9.6-plpython-9.6.21-1.mga7 postgresql9.6-plperl-9.6.21-1.mga7 postgresql9.6-pltcl-9.6.21-1.mga7 postgresql9.6-plpgsql-9.6.21-1.mga7 postgresql11-11.11-1.mga7 libpq5-11.11-1.mga7 libecpg11_6-11.11-1.mga7 postgresql11-server-11.11-1.mga7 postgresql11-docs-11.11-1.mga7 postgresql11-contrib-11.11-1.mga7 postgresql11-devel-11.11-1.mga7 postgresql11-pl-11.11-1.mga7 postgresql11-plpython-11.11-1.mga7 postgresql11-plpython3-11.11-1.mga7 postgresql11-plperl-11.11-1.mga7 postgresql11-pltcl-11.11-1.mga7 postgresql11-plpgsql-11.11-1.mga7 postgresql11-docs-11.11-1.mga8 postgresql11-11.11-1.mga8 postgresql11-devel-11.11-1.mga8 postgresql11-contrib-11.11-1.mga8 libpq5.11-11.11-1.mga8 postgresql11-plpgsql-11.11-1.mga8 libecpg11_6-11.11-1.mga8 postgresql11-plpython3-11.11-1.mga8 postgresql11-server-11.11-1.mga8 postgresql11-pl-11.11-1.mga8 postgresql11-pltcl-11.11-1.mga8 postgresql11-plperl-11.11-1.mga8 postgresql13-docs-13.2-1.mga8 postgresql13-13.2-1.mga8 postgresql13-devel-13.2-1.mga8 postgresql13-contrib-13.2-1.mga8 postgresql13-server-13.2-1.mga8 libpq5-13.2-1.mga8 libecpg13_6-13.2-1.mga8 postgresql13-plpgsql-13.2-1.mga8 postgresql13-plpython3-13.2-1.mga8 postgresql13-plperl-13.2-1.mga8 postgresql13-pl-13.2-1.mga8 postgresql13-pltcl-13.2-1.mga8
Advisory: ======================== Updated postgresql packages fix security vulnerabilities: A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message (CVE-2021-3393). A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table. Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In installations that depend on column-level permissions for security, it is recommended to execute CREATE OR REPLACE on all user-defined views to force them to be re-parsed (CVE-2021-20229). PostgreSQL 11 was only affected by CVE-2021-3393 and both PostgreSQL 11 and 13 were affected by CVE-2021-20229. PostgreSQL 9.6 was updated to fix bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3393 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20229 https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
MGA7-64 MATE on Peaq C1011 No installation issues for 9.6 # systemctl -l status postgresql ● postgresql.service - PostgreSQL database server Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl -l start postgresql # systemctl -l status postgresql ● postgresql.service - PostgreSQL database server Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-03-04 16:10:15 CET; 6s ago Process: 12435 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS) Process: 12450 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS) Main PID: 12452 (postgres) Tasks: 6 (limit: 2285) Memory: 70.0M CGroup: /system.slice/postgresql.service ├─12452 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432 ├─12455 postgres: checkpointer process ├─12456 postgres: writer process ├─12457 postgres: wal writer process ├─12458 postgres: autovacuum launcher process └─12459 postgres: stats collector process Mar 04 16:10:09 mach7.hviaene.thuis systemd[1]: Starting PostgreSQL database server... Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG: database system was shut down at 2021-03-04 16:10:13 CET Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG: MultiXact member wraparound protections are now enabled Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG: database system is ready to accept connections Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG: autovacuum launcher started Mar 04 16:10:15 mach7.hviaene.thuis systemd[1]: Started PostgreSQL database server. Continuing testing ......
CC: (none) => herman.viaene
Using pgadmin3, I have been able to connect to localhost, create a new database, a
fingertrouble!!!! Continuing create a new schema, create a new table with fout columns with a PK and an index. Looks good for this version. Will try upgrading to version 11
Installed version 11, this bumps out most - or all of the 9.6 packages. This stops the database, and restarting fails with error pg_ctl[17013]: /usr/bin/pg_ctl: error while loading shared libraries: libpq.so.5.9: cannot open shared object file: No such file or directory This file is from a 9.6 package, reinstalling lib64pq5.9 solves the problem. # systemctl -l start postgresql # systemctl -l status postgresql ● postgresql.service - PostgreSQL database server Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-03-04 17:10:16 CET; 12s ago Process: 17342 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS) Process: 17343 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS) Main PID: 17346 (postgres) Tasks: 6 (limit: 2285) Memory: 14.7M Once there I coiuld open the database created with 9.6, delete the table, schema and database. And create new ones. This problem could occur on a fresh install of version 11, as removing this package again, does not seem to harm the database manipulation in pgadmin3, but the database cannot be restarted afterwards. Otherwise the database is OK.
MGA7 - Vbox $ uname -a Linux linux.local 5.10.19-desktop-1.mga7 #1 SMP Fri Feb 26 23:48:09 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 12 packages are going to be installed: - lib64ecpg9.6_6-9.6.21-1.mga7.x86_64 - lib64pq5.9-9.6.21-1.mga7.x86_64 - postgresql9.6-9.6.21-1.mga7.x86_64 - postgresql9.6-contrib-9.6.21-1.mga7.x86_64 - postgresql9.6-devel-9.6.21-1.mga7.x86_64 - postgresql9.6-docs-9.6.21-1.mga7.noarch - postgresql9.6-pl-9.6.21-1.mga7.x86_64 - postgresql9.6-plperl-9.6.21-1.mga7.x86_64 - postgresql9.6-plpgsql-9.6.21-1.mga7.x86_64 - postgresql9.6-plpython-9.6.21-1.mga7.x86_64 - postgresql9.6-pltcl-9.6.21-1.mga7.x86_64 - postgresql9.6-server-9.6.21-1.mga7.x86_64 using command line psql I was able to create user, create database, create table, insert data and select data. postgres=# create database mydb; create user test with password 'xx'; postgres=# grant all privileges on database mydb to test; postgres=# \q now as user test I can connect to mydb using the command: $ psql mydb mydb=> create table if not exists books ( book_name varchar(255), pages integer); mydb=> insert into books values ('Delta-V', 355); mydb=> select * from books; mydb=> create index bindex on brian (books_name); to describe the table mydb=> \d books update and delete worked as well. mydb=> \q to quit works for me. Seems to work for me.
CC: (none) => brtians1
MGA8 64bit gnome $ uname -a Linux localhost 5.10.20-desktop-2.mga8 #1 SMP Fri Mar 5 18:23:13 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 15 packages are going to be installed: - lib64ecpg13_6-13.2-1.mga8.x86_64 - lib64openssl-devel-1.1.1j-1.mga8.x86_64 - lib64pq5-13.2-1.mga8.x86_64 - lib64zlib-devel-1.2.11-9.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - postgresql13-13.2-1.mga8.x86_64 - postgresql13-contrib-13.2-1.mga8.x86_64 - postgresql13-devel-13.2-1.mga8.x86_64 - postgresql13-docs-13.2-1.mga8.noarch - postgresql13-pl-13.2-1.mga8.x86_64 - postgresql13-plperl-13.2-1.mga8.x86_64 - postgresql13-plpgsql-13.2-1.mga8.x86_64 - postgresql13-plpython3-13.2-1.mga8.x86_64 - postgresql13-pltcl-13.2-1.mga8.x86_64 - postgresql13-server-13.2-1.mga8.x86_64 -- i started services repeated test system working as best I can tell. Herman - anything hold this up for approval?
no additional comments updating MGA8 and MGA7 as Herman and I tested both
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK MGA7-64-OK
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to svn.
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0121.html
Status: NEW => RESOLVEDResolution: (none) => FIXED