Bug 31912 - postgresql new security issues CVE-2023-245[45]
Summary: postgresql new security issues CVE-2023-245[45]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-05-11 16:57 CEST by David Walser
Modified: 2023-05-31 08:42 CEST (History)
6 users (show)

See Also:
Source RPM: postgresql13, postgresql11
CVE:
Status comment:


Attachments

Description David Walser 2023-05-11 16:57:32 CEST
PostgreSQL has released new versions today (May 11):
https://www.postgresql.org/about/news/postgresql-153-148-1311-1215-and-1120-released-2637/

The issues are fixed upstream in 11.20, 13.11, and 15.3.

Mageia 8 is also affected.
David Walser 2023-05-11 16:58:56 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 11.20, 13.11, and 15.3

Comment 1 Nicolas Salguero 2023-05-12 10:35:17 CEST
Suggested advisory:
========================

The updated packages fix some bugs and a security vulnerabilities:

CREATE SCHEMA ... schema_element defeats protective search_path changes. (CVE-2023-2454)

Row security policies disregard user ID changes after inlining. (CVE-2023-2455)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2454
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2455
https://www.postgresql.org/about/news/postgresql-153-148-1311-1215-and-1120-released-2637/
========================

Updated packages in core/updates_testing:
========================
lib(64)pq5.11-11.20-1.mga8
lib(64)ecpg11_6-11.20-1.mga8
postgresql11-11.20-1.mga8
postgresql11-contrib-11.20-1.mga8
postgresql11-devel-11.20-1.mga8
postgresql11-docs-11.20-1.mga8
postgresql11-pl-11.20-1.mga8
postgresql11-plperl-11.20-1.mga8
postgresql11-plpgsql-11.20-1.mga8
postgresql11-plpython3-11.20-1.mga8
postgresql11-pltcl-11.20-1.mga8
postgresql11-server-11.20-1.mga8

lib(64)pq5-13.11-1.mga8
lib(64)ecpg13_6-13.11-1.mga8
postgresql13-13.11-1.mga8
postgresql13-contrib-13.11-1.mga8
postgresql13-devel-13.11-1.mga8
postgresql13-docs-13.11-1.mga8
postgresql13-pl-13.11-1.mga8
postgresql13-plperl-13.11-1.mga8
postgresql13-plpgsql-13.11-1.mga8
postgresql13-plpython3-13.11-1.mga8
postgresql13-pltcl-13.11-1.mga8
postgresql13-server-13.11-1.mga8

from SRPMS:
postgresql11-11.20-1.mga8.src.rpm
postgresql13-13.11-1.mga8.src.rpm

Status: NEW => ASSIGNED
Source RPM: postgresql15, postgresql13, postgresql11 => postgresql13, postgresql11
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 11.20, 13.11, and 15.3 => (none)
CC: (none) => nicolas.salguero

Comment 2 Herman Viaene 2023-05-15 15:23:09 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues for 13
Used pgadmin4 to delete a test database from previous tests, create a new one testtab1311, create a table with an automatic filled primary key, a unique index on another column and a time stamp, entered some data, all works OK.

CC: (none) => herman.viaene

Comment 3 Brian Rockwell 2023-05-22 19:44:45 CEST
MGA8-64, vbox, Gnome

The following 10 packages are going to be installed:

- lib64pq5.11-11.20-1.mga8.x86_64
- postgresql11-11.20-1.mga8.x86_64
- postgresql11-contrib-11.20-1.mga8.x86_64
- postgresql11-docs-11.20-1.mga8.noarch
- postgresql11-pl-11.20-1.mga8.x86_64
- postgresql11-plperl-11.20-1.mga8.x86_64
- postgresql11-plpgsql-11.20-1.mga8.x86_64
- postgresql11-plpython3-11.20-1.mga8.x86_64
- postgresql11-pltcl-11.20-1.mga8.x86_64
- postgresql11-server-11.20-1.mga8.x86_64

65MB of additional disk space will be used.

started server created a database and a table

next inserted some data - nothing fancy

bkr=# \dt
              List of relations
 Schema |      Name       | Type  |  Owner   
--------+-----------------+-------+----------
 public | mageia_versions | table | postgres
(1 row)

bkr=# select * from mageia_versions
bkr-# ;
 mver | crdate 
------+--------
(0 rows)

bkr=# insert into mageia_versions values ('1','12-1-2012');
INSERT 0 1
bkr=# insert into mageia_versions values ('2','11-22-2013');
INSERT 0 1
bkr=# insert into mageia_versions values ('3','11-16-2014');
INSERT 0 1
bkr=# select * from mageia_versions;
 mver |   crdate   
------+------------
 1    | 2012-12-01
 2    | 2013-11-22
 3    | 2014-11-16
(3 rows)

bkr=# 

works

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

Comment 4 Thomas Andrews 2023-05-23 13:43:44 CEST
Validating. Advisory in comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-30 18:28:26 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-05-31 08:42:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0187.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.