Bug 31531 - postgresql new security issue CVE-2022-41862
Summary: postgresql new security issue CVE-2022-41862
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK MGA8-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-09 17:33 CET by David Walser
Modified: 2023-02-27 21:29 CET (History)
8 users (show)

See Also:
Source RPM: postgresql13, postgresql11
CVE: CVE-2022-41862
Status comment:


Attachments

Description David Walser 2023-02-09 17:33:23 CET
PostgreSQL has released new versions today (February 9):
https://www.postgresql.org/about/news/postgresql-152-147-1310-1214-and-1119-released-2592/

The issue is fixed upstream in 13.10 and 15.2.

Mageia 8 is also affected (only for 13, 11 is not affected, though bugfix release 11.19 is available).
David Walser 2023-02-09 17:33:39 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 13.10 and 15.2

Comment 1 Marja Van Waes 2023-02-09 21:02:10 CET
Assigning to the registered postgresql15 maintainer, CC'ing the registered postgresql13 maintainer.

CC: (none) => joequant, marja11
Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2023-02-10 14:56:03 CET
Suggested advisory:
========================

The updated packages fix some bugs and a security vulnerability, for postgresql13:

Client memory disclosure when connecting, with Kerberos, to modified server. (CVE-2022-41862)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41862
https://www.postgresql.org/about/news/postgresql-152-147-1310-1214-and-1119-released-2592/
========================

Updated packages in core/updates_testing:
========================
lib(64)pq5.11-11.19-1.mga8
lib(64)ecpg11_6-11.19-1.mga8
postgresql11-11.19-1.mga8
postgresql11-contrib-11.19-1.mga8
postgresql11-devel-11.19-1.mga8
postgresql11-docs-11.19-1.mga8
postgresql11-pl-11.19-1.mga8
postgresql11-plperl-11.19-1.mga8
postgresql11-plpgsql-11.19-1.mga8
postgresql11-plpython3-11.19-1.mga8
postgresql11-pltcl-11.19-1.mga8
postgresql11-server-11.19-1.mga8

lib(64)pq5-13.10-1.mga8
lib(64)ecpg13_6-13.10-1.mga8
postgresql13-13.10-1.mga8
postgresql13-contrib-13.10-1.mga8
postgresql13-devel-13.10-1.mga8
postgresql13-docs-13.10-1.mga8
postgresql13-pl-13.10-1.mga8
postgresql13-plperl-13.10-1.mga8
postgresql13-plpgsql-13.10-1.mga8
postgresql13-plpython3-13.10-1.mga8
postgresql13-pltcl-13.10-1.mga8
postgresql13-server-13.10-1.mga8

from SRPMS:
postgresql11-11.19-1.mga8.src.rpm
postgresql13-13.10-1.mga8.src.rpm

Status comment: Fixed upstream in 13.10 and 15.2 => (none)
CVE: (none) => CVE-2022-41862
Status: NEW => ASSIGNED
Source RPM: postgresql13, postgresql15 => postgresql13, postgresql11
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2023-02-14 16:59:55 CET
MGA8-64 MATE on Acer Aspire 5253
Installation issue : on this laptop both versions 11 and 13 are installed since previous versions. Now when selecting the 11's I get:
"Sorry, the following package cannot be selected:

- postgresql11-pl-11.19-1.mga8.x86_64 (due to conflicts with postgresql13-plpgsql-13.10-1.mga8.x86_64)"

CC: (none) => herman.viaene

Comment 4 Nicolas Salguero 2023-02-16 15:50:33 CET
Hi,

I have verified that this is not a new behaviour: I got the same message even with postgresql11-pl-11.10-2.mga8 and postgresql13-plpgsql-13.1-4.mga8.

Best regards,

Nico.
Comment 5 Herman Viaene 2023-02-17 15:35:06 CET
Installed 13 and used pgadmin4 to delete a test database from previous tests, create a new one, create a table with an automatic filled primary key, a unique index on another column and a time stamp, entered some data, all works OK.
I did not test the 11 since I'm weary abour running two versions on a single machine. Never had 11 installed.
Comment 6 Brian Rockwell 2023-02-22 15:07:44 CET
$ uname -a
Linux localhost 5.15.88-desktop-1.mga8 #1 SMP Sat Jan 14 15:00:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux


The following 15 packages are going to be installed:

- lib64ecpg11_6-11.19-1.mga8.x86_64
- lib64openssl-devel-1.1.1q-1.mga8.x86_64
- lib64pq5.11-11.19-1.mga8.x86_64
- lib64zlib-devel-1.2.12-1.3.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql11-11.19-1.mga8.x86_64
- postgresql11-contrib-11.19-1.mga8.x86_64
- postgresql11-devel-11.19-1.mga8.x86_64
- postgresql11-docs-11.19-1.mga8.noarch
- postgresql11-pl-11.19-1.mga8.x86_64
- postgresql11-plperl-11.19-1.mga8.x86_64
- postgresql11-plpgsql-11.19-1.mga8.x86_64
- postgresql11-plpython3-11.19-1.mga8.x86_64
- postgresql11-pltcl-11.19-1.mga8.x86_64
- postgresql11-server-11.19-1.mga8.x86_64


started the service

# create database mageia8;
CREATE DATABASE

# create table mageia_versions (version varchar(25), available date);
CREATE TABLE

mageia8=# insert into mageia_versions values ('MGA1', '2011-06-01');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA2', '2012-05-22');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA3', '2013-05-19');
INSERT 0 1
mageia8=# create index mindex on mageia_versions(version);
CREATE INDEX
mageia8=# insert into mageia_versions values ('MGA4', '2014-02-1');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA5', '2015-06-19');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA5.1', '2016-12-2');
INSERT 0 1

# select * from mageia_versions;
 version | available  
---------+------------
 MGA1    | 2011-06-01
 MGA2    | 2012-05-22
 MGA3    | 2013-05-19
 MGA4    | 2014-02-01
 MGA5    | 2015-06-19
 MGA5.1  | 2016-12-02

mageia8=# insert into mageia_versions values ('test', '2023-2-22');
INSERT 0 1
mageia8=# select *
mageia8-# ;
ERROR:  SELECT * with no tables specified is not valid
LINE 1: select *
               ^
mageia8=# select * from mageia_versions;
 version | available  
---------+------------
 MGA1    | 2011-06-01
 MGA2    | 2012-05-22
 MGA3    | 2013-05-19
 MGA4    | 2014-02-01
 MGA5    | 2015-06-19
 MGA5.1  | 2016-12-02
 test    | 2023-02-22
(7 rows)

mageia8=# delete from mageia_versions      
mageia8-# where version = 'test';
DELETE 1
mageia8=# select * from mageia_versions;
 version | available  
---------+------------
 MGA1    | 2011-06-01
 MGA2    | 2012-05-22
 MGA3    | 2013-05-19
 MGA4    | 2014-02-01
 MGA5    | 2015-06-19
 MGA5.1  | 2016-12-02
(6 rows)

mageia8=# insert into mageia_versions values ('MGA6', '2017-7-16');
INSERT 0 1
mageia8=# insert into mageia_versions values ('MGA6.1', '2018-7-16');
INSERT 0 1
mageia8=# update mageia_versions set available = '2018-10-05'      
mageia8-# where version = 'MGA6.1';
UPDATE 1
mageia8=# select * from mageia_versions;
 version | available  
---------+------------
 MGA1    | 2011-06-01
 MGA2    | 2012-05-22
 MGA3    | 2013-05-19
 MGA4    | 2014-02-01
 MGA5    | 2015-06-19
 MGA5.1  | 2016-12-02
 MGA6    | 2017-07-16
 MGA6.1  | 2018-10-05
(8 rows)


working for me in basic tests.

CC: (none) => brtians1

Comment 7 Herman Viaene 2023-02-22 15:12:46 CET
With the two versions tested, giving the OK.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Brian Rockwell 2023-02-22 15:26:26 CET
$ uname -a
Linux localhost.localdomain 5.15.88-desktop-1.mga8 #1 SMP Sat Jan 14 15:35:24 UTC 2023 i686 i686 i386 GNU/Linux

The following 15 packages are going to be installed:

- libecpg13_6-13.10-1.mga8.i586
- libopenssl-devel-1.1.1q-1.mga8.i586
- libpq5-13.10-1.mga8.i586
- libzlib-devel-1.2.12-1.3.mga8.i586
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql13-13.10-1.mga8.i586
- postgresql13-contrib-13.10-1.mga8.i586
- postgresql13-devel-13.10-1.mga8.i586
- postgresql13-docs-13.10-1.mga8.noarch
- postgresql13-pl-13.10-1.mga8.i586
- postgresql13-plperl-13.10-1.mga8.i586
- postgresql13-plpgsql-13.10-1.mga8.i586
- postgresql13-plpython3-13.10-1.mga8.i586
- postgresql13-pltcl-13.10-1.mga8.i586
- postgresql13-server-13.10-1.mga8.i586


started service

# su - postgres

[postgres@localhost ~]$ psql -versionexi
psql (13.10)


well it runs


------

postgres=# create database mageia
postgres-# ;
CREATE DATABASE
postgres=# \connect mageia
You are now connected to database "mageia" as user "postgres".
mageia=# create table mageia_versions;
ERROR:  syntax error at or near ";"
LINE 1: create table mageia_versions;
                                    ^
mageia=# create table mageia_versions (version varchar(25), available date);
CREATE TABLE
mageia=# 

seems to respond

Whiteboard: MGA8-64-OK => MGA8-64-OK MGA8-32-OK

Comment 9 Thomas Andrews 2023-02-23 23:59:10 CET
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-02-25 20:26:19 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2023-02-27 21:29:03 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0064.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.