Bug 29369 - postgresql new security issue CVE-2021-3677
Summary: postgresql new security issue CVE-2021-3677
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-08-13 13:49 CEST by David Walser
Modified: 2021-09-14 02:40 CEST (History)
7 users (show)

See Also:
Source RPM: postgresql11, postgresql13
CVE: CVE-2021-3677
Status comment:


Attachments

Description David Walser 2021-08-13 13:49:58 CEST
PostgreSQL has released new versions on August 12:
https://www.postgresql.org/about/news/postgresql-134-128-1113-1018-9623-and-14-beta-3-released-2277/

The issues are fixed upstream in 11.13 and 13.4.

Cauldron and Mageia 8 are affected (postgresql13 and postgresql11).
David Walser 2021-08-13 13:50:35 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-08-13 13:52:41 CEST
Ubuntu has issued an advisory for this on August 12:
https://ubuntu.com/security/notices/USN-5038-1
Comment 2 Lewis Smith 2021-08-15 20:37:10 CEST
These SRPMs have registered maintainers (both CC'd), but most recently have been committed by different packagers, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant, mageia

Comment 3 Nicolas Salguero 2021-08-30 15:49:55 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Memory disclosure in certain queries. (CVE-2021-3677)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3677
https://www.postgresql.org/about/news/postgresql-134-128-1113-1018-9623-and-14-beta-3-released-2277/
https://ubuntu.com/security/notices/USN-5038-1
========================

Updated packages in core/updates_testing:
========================
postgresql11-contrib-11.13-1.mga8
postgresql11-11.13-1.mga8
lib(64)pq5.11-11.13-1.mga8
postgresql11-plpgsql-11.13-1.mga8
lib(64)ecpg11_6-11.13-1.mga8
postgresql11-plpython3-11.13-1.mga8
postgresql11-pl-11.13-1.mga8
postgresql11-plperl-11.13-1.mga8
postgresql11-pltcl-11.13-1.mga8
postgresql11-devel-11.13-1.mga8
postgresql11-docs-11.13-1.mga8
postgresql11-server-11.13-1.mga8

postgresql13-pl-13.4-1.mga8
postgresql13-pltcl-13.4-1.mga8
postgresql13-plperl-13.4-1.mga8
postgresql13-plpython3-13.4-1.mga8
lib(64)pq5-13.4-1.mga8
lib(64)ecpg13_6-13.4-1.mga8
postgresql13-plpgsql-13.4-1.mga8
postgresql13-13.4-1.mga8
postgresql13-devel-13.4-1.mga8
postgresql13-docs-13.4-1.mga8
postgresql13-server-13.4-1.mga8

from SRPMS:
postgresql11-11.13-1.mga8.src.rpm
postgresql13-13.4-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-3677
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8

Comment 4 Hugues Detavernier 2021-08-31 17:23:00 CEST
Mageia Gnome X64

Installation postgresql11-server without any problem.

rpmq -i --media "Core Updates testing" postgresql11-server
Name        : postgresql11-server
Version     : 11.13
Release     : 1.mga8
Group       : Databases
Size        : 44384754                     Architecture: x86_64
Source RPM  : postgresql11-11.13-1.mga8.src.rpm
URL         : http://www.postgresql.org/
Summary     : The programs needed to create and run a PostgreSQL server
Description :
The postgresql-server package includes the programs needed to create and run a
PostgreSQL server, which will in turn allow you to create and maintain
PostgreSQL databases.  PostgreSQL is an advanced Object-Relational database
management system (DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions). You should
install postgresql-server if you want to create and maintain your own
PostgreSQL databases and/or your own PostgreSQL server. You also need to
install the postgresql and postgresql-devel packages.

After installing this package, please read postgresql.Mageia.releasenote.

[root@localhost hugo]# urpmi --media "Core Updates testing" postgresql11-server
Pour satisfaire les dépendances, les paquetages suivants vont être installés :
  Paquetage                      Version      Révision      Arch    
(média « Core Updates Testing »)
  postgresql11-plpgsql           11.13        1.mga8        x86_64  
  postgresql11-server            11.13        1.mga8        x86_64  
un espace additionnel de 42Mo sera utilisé.
14Mo de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n) O


    $MIRRORLIST: media/core/updates_testing/postgresql11-server-11.13-1.mga8.x86_64.rpm
    $MIRRORLIST: media/core/updates_testing/postgresql11-plpgsql-11.13-1.mga8.x86_64.rpm
installation de postgresql11-plpgsql-11.13-1.mga8.x86_64.rpm postgresql11-server-11.13-1.mga8.x86_64.rpm depuis /var/cache/urpmi/rpms
Préparation...                   ##################################################
      1/2: postgresql11-server   ##################################################
      2/2: postgresql11-plpgsql  ##################################################
----------------------------------------------------------------------
Plus d'information sur le paquetage postgresql11-server-11.13-1.mga8.x86_64
You just installed or updated postgresql server.
You can find important information about Mageia postgresql rpms and database
management in:

/usr/share/doc/postgresql11-server/postgresql.Mageia.releasenote

Please read it.

 systemctl start postgresql
 systemctl status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor pr>
     Active: active (running) since Tue 2021-08-31 19:16:43 CEST; 7s ago
    Process: 44114 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=ex>
    Process: 44125 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} ->
   Main PID: 44127 (postgres)
      Tasks: 7 (limit: 2321)
     Memory: 61.2M
        CPU: 447ms
     CGroup: /system.slice/postgresql.service
             ├─44127 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─44130 postgres: checkpointer
             ├─44131 postgres: background writer
             ├─44132 postgres: walwriter
             ├─44133 postgres: autovacuum launcher
             ├─44134 postgres: stats collector
             └─44135 postgres: logical replication launcher

août 31 19:16:42 localhost systemd[1]: Starting PostgreSQL database server...
août 31 19:16:43 localhost pg_ctl[44127]: 2021-08-31 19:16:43.427 CEST [44127] LOG: >
août 31 19:16:43 localhost pg_ctl[44127]: 2021-08-31 19:16:43.427 CEST [44127] LOG: >
août 31 19:16:43 localhost pg_ctl[44127]: 2021-08-31 19:16:43.427 CEST [44127] LOG: >
lines 1-22

[root@localhost hugo]# su - postgres
[postgres@localhost ~]$ psql
psql (11.13)
Type "help" for help.

postgres=#

postgres=# CREATE DATABASE Mageia;
CREATE DATABASE

postgres=# SELECT datname FROM pg_database;
  datname  
-----------
 postgres
 mageia
 template1
 template0
(4 rows)


All seems ok.

CC: (none) => hdetavernier

Comment 5 Brian Rockwell 2021-09-13 23:09:30 CEST
MGA8 - 64bit - Gnome

The following 17 packages are going to be installed:

- lib64ecpg13_6-13.4-1.mga8.x86_64
- lib64openssl-devel-1.1.1l-1.mga8.x86_64
- lib64openssl1.1-1.1.1l-1.mga8.x86_64
- lib64pq5-13.4-1.mga8.x86_64
- lib64zlib-devel-1.2.11-9.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- openssl-1.1.1l-1.mga8.x86_64
- postgresql13-13.4-1.mga8.x86_64
- postgresql13-contrib-13.4-1.mga8.x86_64
- postgresql13-devel-13.4-1.mga8.x86_64
- postgresql13-docs-13.4-1.mga8.noarch
- postgresql13-pl-13.4-1.mga8.x86_64
- postgresql13-plperl-13.4-1.mga8.x86_64
- postgresql13-plpgsql-13.4-1.mga8.x86_64
- postgresql13-plpython3-13.4-1.mga8.x86_64
- postgresql13-pltcl-13.4-1.mga8.x86_64
- postgresql13-server-13.4-1.mga8.x86_64

I was able to start the SQL server with no issues.

I then turned around and installed Nextcloud-Server and pointed it to postgres.  It went through all of the initial database build, table creations, and initial configs without issue.

No issues and I was able to publish a document in Nextcloud.


Postgres is working as designed.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

Comment 6 Thomas Andrews 2021-09-14 02:40:14 CEST
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.