PostgreSQL has released new versions on August 10: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ CVE-2023-39418 only affects postgresql15. The issues are fixed upstream in 11.21, 13.12, and 15.4. Mageia 8 and 9 are also affected.
Source RPM: (none) => postgresql15, postgresql13, postgresql11Assignee: bugsquad => nicolas.salgueroCC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Extension script @substitutions@ within quoting allow SQL injection. (CVE-2023-39417) MERGE fails to enforce UPDATE or SELECT row security policies. (CVE-2023-39418) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39417 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39418 https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)ecpg13_6-13.12-1.mga8 lib(64)pq5-13.12-1.mga8 postgresql13-13.12-1.mga8 postgresql13-contrib-13.12-1.mga8 postgresql13-devel-13.12-1.mga8 postgresql13-docs-13.12-1.mga8 postgresql13-pl-13.12-1.mga8 postgresql13-plperl-13.12-1.mga8 postgresql13-plpgsql-13.12-1.mga8 postgresql13-plpython3-13.12-1.mga8 postgresql13-pltcl-13.12-1.mga8 postgresql13-server-13.12-1.mga8 lib(64)ecpg11_6-11.21-1.mga8 lib(64)pq5.11-11.21-1.mga8 postgresql11-11.21-1.mga8 postgresql11-contrib-11.21-1.mga8 postgresql11-devel-11.21-1.mga8 postgresql11-docs-11.21-1.mga8 postgresql11-pl-11.21-1.mga8 postgresql11-plperl-11.21-1.mga8 postgresql11-plpgsql-11.21-1.mga8 postgresql11-plpython3-11.21-1.mga8 postgresql11-pltcl-11.21-1.mga8 postgresql11-server-11.21-1.mga8 from SRPMS: postgresql13-13.12-1.mga8.src.rpm postgresql11-11.21-1.mga8.src.rpm Updated packages in 9/core/updates_testing: ======================== lib(64)ecpg15_6-15.4-1.mga9 lib(64)pq5-15.4-1.mga9 postgresql15-15.4-1.mga9 postgresql15-contrib-15.4-1.mga9 postgresql15-devel-15.4-1.mga9 postgresql15-docs-15.4-1.mga9 postgresql15-pl-15.4-1.mga9 postgresql15-plperl-15.4-1.mga9 postgresql15-plpgsql-15.4-1.mga9 postgresql15-plpython3-15.4-1.mga9 postgresql15-pltcl-15.4-1.mga9 postgresql15-server-15.4-1.mga9 lib(64)ecpg13_6-13.12-1.mga9 lib(64)pq5.13-13.12-1.mga9 postgresql13-13.12-1.mga9 postgresql13-contrib-13.12-1.mga9 postgresql13-devel-13.12-1.mga9 postgresql13-docs-13.12-1.mga9 postgresql13-pl-13.12-1.mga9 postgresql13-plperl-13.12-1.mga9 postgresql13-plpgsql-13.12-1.mga9 postgresql13-plpython3-13.12-1.mga9 postgresql13-pltcl-13.12-1.mga9 postgresql13-server-13.12-1.mga9 from SRPMS: postgresql15-15.4-1.mga9.src.rpm postgresql13-13.12-1.mga9.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 9Whiteboard: (none) => MGA8TOO
MGA9-64, Gnome, Nextcloud, Intel (legacy) This is an upgrade from 15.3 The following 4 packages are going to be installed: - lib64pq5-15.4-1.mga9.x86_64 - postgresql15-15.4-1.mga9.x86_64 - postgresql15-plpgsql-15.4-1.mga9.x86_64 - postgresql15-server-15.4-1.mga9.x86_64 77KB of additional disk space will be used. rebooted Nextcloud working
CC: (none) => brtians1
Fresh install MGA8-64, Mate The following 17 packages are going to be installed: - lib64ecpg11_6-11.21-1.mga8.x86_64 - lib64openssl-devel-1.1.1v-1.mga8.x86_64 - lib64openssl1.1-1.1.1v-1.mga8.x86_64 - lib64pq5.11-11.21-1.mga8.x86_64 - lib64zlib-devel-1.2.12-1.3.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - openssl-1.1.1v-1.mga8.x86_64 - postgresql11-11.21-1.mga8.x86_64 - postgresql11-contrib-11.21-1.mga8.x86_64 - postgresql11-devel-11.21-1.mga8.x86_64 - postgresql11-docs-11.21-1.mga8.noarch - postgresql11-pl-11.21-1.mga8.x86_64 - postgresql11-plperl-11.21-1.mga8.x86_64 - postgresql11-plpgsql-11.21-1.mga8.x86_64 - postgresql11-plpython3-11.21-1.mga8.x86_64 - postgresql11-pltcl-11.21-1.mga8.x86_64 - postgresql11-server-11.21-1.mga8.x86_64 81MB of additional disk space will be used. started service su into postgres ID psql create database mageia; \c mageia; create table mag_versions (name varchar(12), cr_date date); insert into mag_versions values ('9', '26-Aug-2023'); insert into mag_versions values ('8', '2-Feb-2021'); select * from mag_versions; name | cr_date ------+------------ 9 | 2023-08-26 8 | 2021-02-02 (2 rows) create index magidx on mag_versions(name); \quit All of these commands are working. Works for me
MGA8-64 New build The following 17 packages are going to be installed: - lib64ecpg13_6-13.12-1.mga8.x86_64 - lib64openssl-devel-1.1.1v-1.mga8.x86_64 - lib64openssl1.1-1.1.1v-1.mga8.x86_64 - lib64pq5-13.12-1.mga8.x86_64 - lib64zlib-devel-1.2.12-1.3.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - openssl-1.1.1v-1.mga8.x86_64 - postgresql13-13.12-1.mga8.x86_64 - postgresql13-contrib-13.12-1.mga8.x86_64 - postgresql13-devel-13.12-1.mga8.x86_64 - postgresql13-docs-13.12-1.mga8.noarch - postgresql13-pl-13.12-1.mga8.x86_64 - postgresql13-plperl-13.12-1.mga8.x86_64 - postgresql13-plpgsql-13.12-1.mga8.x86_64 - postgresql13-plpython3-13.12-1.mga8.x86_64 - postgresql13-pltcl-13.12-1.mga8.x86_64 - postgresql13-server-13.12-1.mga8.x86_64 86MB of additional disk space will be used. started service psql postgres=# create database mageia; CREATE DATABASE postgres=# \c mageia; You are now connected to database "mageia" as user "postgres". mageia=# create table mag_versions (name varchar(12), cr_date date); CREATE TABLE mageia=# insert into mag_versions values ('9', '26-Aug-2023'); INSERT 0 1 mageia=# insert into mag_versions values ('8', '2-May-2021'); INSERT 0 1 mageia=# create index magidx on mag_versions(name); CREATE INDEX mageia=# select * from mag_versions; name | cr_date ------+------------ 9 | 2023-08-26 8 | 2021-05-02 (2 rows) working as expected
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
MGA9-64 The following 17 packages are going to be installed: - lib64ecpg13_6-13.12-1.mga9.x86_64 - lib64openssl-devel-3.0.10-1.mga9.x86_64 - lib64openssl3-3.0.10-1.mga9.x86_64 - lib64pq5.13-13.12-1.mga9.x86_64 - lib64zlib-devel-1.2.13-1.mga9.x86_64 - multiarch-utils-1.0.15-1.mga9.noarch - openssl-3.0.10-1.mga9.x86_64 - postgresql13-13.12-1.mga9.x86_64 - postgresql13-contrib-13.12-1.mga9.x86_64 - postgresql13-devel-13.12-1.mga9.x86_64 - postgresql13-docs-13.12-1.mga9.noarch - postgresql13-pl-13.12-1.mga9.x86_64 - postgresql13-plperl-13.12-1.mga9.x86_64 - postgresql13-plpgsql-13.12-1.mga9.x86_64 - postgresql13-plpython3-13.12-1.mga9.x86_64 - postgresql13-pltcl-13.12-1.mga9.x86_64 - postgresql13-server-13.12-1.mga9.x86_64 84MB of additional disk space will be used. su'd to postgres psql postgres=# create database mageia; CREATE DATABASE postgres=# \c mageia; You are now connected to database "mageia" as user "postgres". mageia=# create table mag_versions (name varchar(12), cr_date date); CREATE TABLE mageia=# create index magidx on mag_versions(name); CREATE INDEX mageia=# insert into mag_versions values ('9', '26-Aug-2023'); INSERT 0 1 mageia=# insert into mag_versions values ('8', '21-May-2021'); INSERT 0 1 mageia=# select * from mag_versions; name | cr_date ------+------------ 9 | 2023-08-26 8 | 2021-05-21 (2 rows)
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
MGA9-32 The following 20 packages are going to be installed: - glibc-devel-2.36-45.mga9.i586 - kernel-userspace-headers-6.4.14-1.mga9.i586 - libecpg13_6-13.12-1.mga9.i586 - libopenssl-devel-3.0.10-1.mga9.i586 - libopenssl3-3.0.10-1.mga9.i586 - libpq5.13-13.12-1.mga9.i586 - libxcrypt-devel-4.4.33-3.mga9.i586 - libzlib-devel-1.2.13-1.mga9.i586 - multiarch-utils-1.0.15-1.mga9.noarch - openssl-3.0.10-1.mga9.i586 - postgresql13-13.12-1.mga9.i586 - postgresql13-contrib-13.12-1.mga9.i586 - postgresql13-devel-13.12-1.mga9.i586 - postgresql13-docs-13.12-1.mga9.noarch - postgresql13-pl-13.12-1.mga9.i586 - postgresql13-plperl-13.12-1.mga9.i586 - postgresql13-plpgsql-13.12-1.mga9.i586 - postgresql13-plpython3-13.12-1.mga9.i586 - postgresql13-pltcl-13.12-1.mga9.i586 - postgresql13-server-13.12-1.mga9.i586 92MB of additional disk space will be used. started service psql (13.12) Type "help" for help. postgres=# create database mageia; CREATE DATABASE postgres=# \c mageia You are now connected to database "mageia" as user "postgres". mageia=# create table mag_versions (name varchar(12), cr_date date); CREATE TABLE mageia=# insert into mag_versions values ('9', '28-Aug-2023'); INSERT 0 1 mageia=# insert into mag_versions values ('8', '2-May-2021'); INSERT 0 1 mageia=# create index magidx on mag_versions(name); CREATE INDEX mageia=# select * from mag_versions; name | cr_date ------+------------ 9 | 2023-08-28 8 | 2021-05-02 (2 rows) mageia=# \q 32-bit working as expected, stopping here.
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK MGA9-32-OK
Validating. Advisory in comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0261.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED