PostgreSQL has released new versions on August 8: https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/ The issues is fixed upstream in 13.16 and 15.8. For Cauldron, we should switch to postgresql17 and postgresql15 in place of postgresql15 and postgresql13. Mageia 9 is also affected.
Source RPM: (none) => postgresql15, postgresql13Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-7348
Assigning to yourself, since you're the registered maintainer of postgresql15. CC'ing the registered maintainer of postgresql13
Assignee: bugsquad => nicolas.salgueroCC: (none) => joequant, marja11
Suggested advisory: ======================== The updated packages fix a security vulnerability: Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. (CVE-2024-7348) References: https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/ https://www.postgresql.org/support/security/CVE-2024-7348/ ======================== Updated packages in core/updates_testing: ======================== lib(64)ecpg15_6-15.8-1.mga9 lib(64)pq5-15.8-1.mga9 postgresql15-15.8-1.mga9 postgresql15-contrib-15.8-1.mga9 postgresql15-devel-15.8-1.mga9 postgresql15-docs-15.8-1.mga9 postgresql15-pl-15.8-1.mga9 postgresql15-plperl-15.8-1.mga9 postgresql15-plpgsql-15.8-1.mga9 postgresql15-plpython3-15.8-1.mga9 postgresql15-pltcl-15.8-1.mga9 postgresql15-server-15.8-1.mga9 lib(64)ecpg13_6-13.16-1.mga9 lib(64)pq5.13-13.16-1.mga9 postgresql13-13.16-1.mga9 postgresql13-contrib-13.16-1.mga9 postgresql13-devel-13.16-1.mga9 postgresql13-docs-13.16-1.mga9 postgresql13-pl-13.16-1.mga9 postgresql13-plperl-13.16-1.mga9 postgresql13-plpgsql-13.16-1.mga9 postgresql13-plpython3-13.16-1.mga9 postgresql13-pltcl-13.16-1.mga9 postgresql13-server-13.16-1.mga9 from SRPMS: postgresql15-15.8-1.mga9.src.rpm postgresql13-13.16-1.mga9.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Assignee: nicolas.salguero => qa-bugsVersion: Cauldron => 9
Keywords: (none) => advisory
MGA9-64, Xfce The following 5 packages are going to be installed: - lib64pq5-15.8-1.mga9.x86_64 - postgresql15-15.8-1.mga9.x86_64 - postgresql15-docs-15.8-1.mga9.noarch - postgresql15-plpgsql-15.8-1.mga9.x86_64 - postgresql15-server-15.8-1.mga9.x86_64 71MB of additional disk space will be used. -- started postgresql service su'd to postgres ID $ psql psql (15.8) Type "help" for help. postgres=# create database mageia; CREATE DATABASE postgres=# \c mageia You are now connected to database "mageia" as user "postgres". mageia=# create table mag_versions (name varchar(12), cr_date date); CREATE TABLE mageia=# insert into mag_versions values ('9', '26-Aug-2023'); INSERT 0 1 mageia=# insert into mag_versions values ('8', '2-Feb-2021'); INSERT 0 1 mageia=# select * from mag_versions; name | cr_date ------+------------ 9 | 2023-08-26 8 | 2021-02-02 (2 rows) mageia=# create index magidx on mag_versions(name); CREATE INDEX mageia=# insert into mag_versions values ('7', '2-Mar-2019'); INSERT 0 1 mageia=# select * from mag_versions; name | cr_date ------+------------ 9 | 2023-08-26 8 | 2021-02-02 7 | 2019-03-02 (3 rows) mageia=# \q minor testing, but working as expected.
CC: (none) => brtians1
MGA9-64 The following 10 packages are going to be installed: - lib64pq5.13-13.16-1.mga9.x86_64 - postgresql13-13.16-1.mga9.x86_64 - postgresql13-contrib-13.16-1.mga9.x86_64 - postgresql13-docs-13.16-1.mga9.noarch - postgresql13-pl-13.16-1.mga9.x86_64 - postgresql13-plperl-13.16-1.mga9.x86_64 - postgresql13-plpgsql-13.16-1.mga9.x86_64 - postgresql13-plpython3-13.16-1.mga9.x86_64 - postgresql13-pltcl-13.16-1.mga9.x86_64 - postgresql13-server-13.16-1.mga9.x86_64 68MB of additional disk space will be used. -- rebooted and started services $ psql psql (13.16) Type "help" for help. postgres=# create database mageia; CREATE DATABASE postgres=# \c mageia You are now connected to database "mageia" as user "postgres". mageia=# create table mag_versions (name varchar(12), cr_date date); CREATE TABLE mageia=# create index magidx on mag_versions(name); CREATE INDEX mageia=# insert into mag_versions values ('9', '26-Aug-2023'); INSERT 0 1 mageia=# insert into mag_versions values ('Mageia 8', '2-Sep-2021'); INSERT 0 1 mageia=# insert into mag_versions values ('Mageia 2029', '2-Sep-2029'); INSERT 0 1 mageia=# mageia=# select * from mag_versions; name | cr_date -------------+------------ 9 | 2023-08-26 Mageia 8 | 2021-09-02 Mageia 2029 | 2029-09-02 (3 rows) working as expected.
Whiteboard: (none) => MGA9-64-OK
MGA9-32 The following 5 packages are going to be installed: - libpq5-15.8-1.mga9.i586 - postgresql15-15.8-1.mga9.i586 - postgresql15-contrib-15.8-1.mga9.i586 - postgresql15-plpgsql-15.8-1.mga9.i586 - postgresql15-server-15.8-1.mga9.i586 59MB of additional disk space will be used. - repeated the same tests - it worked.
MGA9-32 The following 6 packages are going to be installed: - libpq5.13-13.16-1.mga9.i586 - postgresql13-13.16-1.mga9.i586 - postgresql13-contrib-13.16-1.mga9.i586 - postgresql13-plpgsql-13.16-1.mga9.i586 - postgresql13-pltcl-13.16-1.mga9.i586 - postgresql13-server-13.16-1.mga9.i586 54MB of additional disk space will be used. -- started services $ psql could not change directory to "/home/brian": Permission denied psql (13.16) Type "help" for help. postgres=# and the rest of steps. Working for me
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
CC: (none) => andrewsfarm
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0301.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED