The postgresql8.4 and postgresql9.0 packages have been updated to latest versions, in order to fix several CVE issues: * CVE-2012-0866: Permissions on a function called by a trigger are not checked. * CVE-2012-0867: SSL certificate name checks are truncated to 32 characters, allowing connection spoofing under some circumstances. * CVE-2012-0868: Line breaks in object names can be exploited to execute code when loading a pg_dump file.
Testing complete on i586 for the srpm postgresql9.0-9.0.7-1.mga1.src.rpm Just testing that creating a database/table, etc works using webmin, after fixing the paths in the webmin module config.
CC: (none) => davidwhodgins
Just some additional information for reference, Mandriva issued an advisory for this same update today (February 29): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:026 Other references: http://www.postgresql.org/docs/8.4/static/release-8-4-11.html http://www.postgresql.org/docs/9.0/static/release-9-0-7.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0868
CC: (none) => luigiwalser
Testing postgresql9.0 x86_64 using drupal and some instructions from here.. http://pgedit.com/install_drupal http://drupal.org/documentation/install/create-database Testing will also be necessary for postgresql8.4 but IIRC that isn't possible with drupal I had to remove an old log file due to previously removing user postgres # service postgresql start Initialising database: [ OK ] Starting postgresql service: [ OK ] # urpmi drupal In order to satisfy the 'drupal-database-storage' dependency, one of the following packages is needed: 1- drupal-mysqli-7.0-1.mga1.noarch: mysqli storage of druapl (to install) 2- drupal-sqlite-7.0-1.mga1.noarch: sqlite storage of druapl (to install) 3- drupal-mysql-7.0-1.mga1.noarch: mysql storage of druapl (to install) 4- drupal-postgresql-7.0-1.mga1.noarch: postgresql storage of drupal (to install) What is your choice? (1-4) 4 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") drupal 7.0 1.mga1 noarch (medium "Core 32bit Release") drupal-postgresql 7.0 1.mga1 noarch (suggested) # urpmi php-pdo_pgsql # su postgres $ createuser drupal --pwprompt --encrypted Enter password for new role: Enter it again: Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n $ createdb --encoding=UNICODE --template=template0 --owner=drupal drupal Browsed to localhost/drupal and completed the installation process, added forums etc.
# urpme drupal To satisfy dependencies, the following 2 packages will be removed (10MB): drupal-7.0-1.mga1.noarch drupal-postgresql-7.0-1.mga1.noarch (due to unsatisfied drupal == 7.0) Remove 2 packages? (y/N) y # su postgres $ dropdb drupal $ dropuser drupal $ exit # service postgresql stop Stopping postgresql service: [ OK ] # urpme postgresql9.0 removing postgresql9.0-9.0.7-1.mga1.x86_64 removing package postgresql9.0-9.0.7-1.mga1.x86_64 # urpme postgresql9.0-server To satisfy dependencies, the following 2 packages will be removed (15MB): postgresql9.0-plpgsql-9.0.7-1.mga1.x86_64 (due to unsatisfied postgresql-server-ABI(lib64) == 9.0, due to unsatisfied postgresql9.0-server == 9.0.7) postgresql9.0-server-9.0.7-1.mga1.x86_64 (due to unsatisfied postgresql-plpgsql == 9.0.7-1.mga1) Remove 2 packages? (y/N) y # rpm -e --nodeps lib64pq9.0_5 # urpmi postgresql8.4 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing") lib64pq8.4_5 8.4.11 1.mga1 x86_64 postgresql8.4 8.4.11 1.mga1 x86_64 5.8MB of additional disk space will be used. 1.1MB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y # rm -rf /var/lib/pgsql/data # urpmi postgresql8.4-server ftp://ftp.linuxcabal.org/pub/mirrors/Mageia/distrib/1/x86_64/media/core/updates_testing/postgresql8.4-server-8.4.11-1.mga1.x86_64.rpm installing postgresql8.4-server-8.4.11-1.mga1.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################### 1/1: postgresql8.4-server ############################################### ---------------------------------------------------------------------- More information on package postgresql8.4-server-8.4.11-1.mga1.x86_64 You just installed or updated postgresql server. You can find important information about mandriva postgresql rpms and database management in: /usr/share/doc/postgresql8.4-server/postgresql.mdv.releasenote Please read it. ---------------------------------------------------------------------- Mentions of mandriva should be removed.
# urpme php-pdo_pgsql removing php-pdo_pgsql-5.3.10-1.mga1.x86_64 removing package php-pdo_pgsql-3:5.3.10-1.mga1.x86_64 httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName # urpmi php-pdo_pgsql The following packages have to be removed for others to be upgraded: lib64pq8.4_5-8.4.11-1.mga1.x86_64 (due to conflicts with lib64pq9.0_5-9.0.7-1.mga1.x86_64) postgresql8.4-8.4.11-1.mga1.x86_64 (due to conflicts with postgresql9.0-9.0.7-1.mga1.x86_64) postgresql8.4-server-8.4.11-1.mga1.x86_64 (due to unsatisfied lib64pq8.4_5 >= 8.4.11-1.mga1) (y/N) n Should there be a version of php-pdo_pgsql for postgresql8.4 ?
Ping Funda :) Should there be a version of php-pdo_pgsql for postgresql8.4 ?
(In reply to comment #6) > Should there be a version of php-pdo_pgsql for postgresql8.4 ? I don't know :( There are a lot of binary deps on libpg.so.5, which is really a problem if we shipping multiple branches of pgsql. But I don't know how to solve it. Anyway, it is another problem, which has nothing to do with security issues in this bug.
Tested postgresql8.4 with pgadmin3 as we're currently unable to use it with drupal. Created database and user and made the user the owner of the database, then deleted them both. Testing complete x86_64, 8.4 and 9.0 I think 8.4 still needs testing i586
I'll be testing 8.5 on i586 shortly.
Testing complete on i586 for the srpm postgresql8.4-8.4.11-1.mga1.src.rpm Could someone from the sysadmin team push the srpms postgresql9.0-9.0.7-1.mga1.src.rpm postgresql8.4-8.4.11-1.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: This security update for postgresql fixes * CVE-2012-0866: Permissions on a function called by a trigger are not checked. * CVE-2012-0867: SSL certificate name checks are truncated to 32 characters, allowing connection spoofing under some circumstances. * CVE-2012-0868: Line breaks in object names can be exploited to execute code when loading a pg_dump file. Other references: http://www.postgresql.org/docs/8.4/static/release-8-4-11.html http://www.postgresql.org/docs/9.0/static/release-9-0-7.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0868 https://bugs.mageia.org/show_bug.cgi?id=4727
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update poushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED