Mandriva has issued an advisory on August 19: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:139 This has already been fixed in Cauldron.
CC: (none) => nanardon
Whiteboard: (none) => MGA1TOO
Assignee: fundawang => nanardon
I just submit latest version of postgresql in update_testing for both mga 1 and 2. Suggested advisory: ======================== Latest version of postgresql, including fixes for CVE-2012-3488 and CVE-2012-3489 The Postgresql team provide a new version of postgresql server fixing various bugs and multiple vulnaribilty. Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut). libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options (CVE-2012-3488). Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented feature, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane). xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker (CVE-2012-3489). Provided version are: for postgresql8.4: 8.4.13 for postgresql9.0: 9.0.9 for postgresql9.1: 9.1.5 (mga 2 only) ==========
QA Contact: (none) => qa-bugs
Assignee: nanardon => qa-bugsQA Contact: qa-bugs => (none)
Thanks Olivier! References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489 http://www.postgresql.org/docs/8.4/static/release-8-4-13.html http://www.postgresql.org/docs/9.0/static/release-9-0-9.html http://www.postgresql.org/docs/9.1/static/release-9-1-5.html http://www.postgresql.org/about/news/1407/ http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:139 SRPMS: postgresql8.4-8.4.13-1.mga1 postgresql9.0-9.0.9-1.mga1 postgresql8.4-8.4.12-1.mga2 postgresql9.0-9.0.9-1.mga2 postgresql9.1-9.1.5-1.mga2
On Mageia 1 i586, postgresql9.0 works fine.
CC: (none) => stormi
Does postgresql come with a test suite that we could execute? And is there a test suite executed during build?
I am not sure there is tests embeded with the software itself. But there is some always executed succefully during rpm build. By experience, I never saw an upstream postgresql update breaking something.
Severity: normal => major
Simple procedure here once webmin has been configured properly https://bugs.mageia.org/show_bug.cgi?id=6334#c2
Hardware: i586 => AllWhiteboard: MGA1TOO => MGA1TOO has_procedure
No public PoC's that I can see so just testing functionality.
Testing Mageia 2 x86_64
Listing rpms for reference.. $ ./srpm postgresql9.1 "Core Updates Testing" Media: Core Updates Testing SRPM: postgresql9.1-9.1.5-1.mga2.src.rpm ---------------------------------------- lib64ecpg9.1_6 lib64pq9.1_5 postgresql9.1-contrib postgresql9.1-devel postgresql9.1-docs postgresql9.1-plperl postgresql9.1-plpgsql postgresql9.1-pl postgresql9.1-plpython postgresql9.1-pltcl postgresql9.1 postgresql9.1-server $ ./srpm postgresql9.0 "Core Updates Testing" Media: Core Updates Testing SRPM: postgresql9.0-9.0.9-1.mga2.src.rpm ---------------------------------------- lib64ecpg9.0_6 lib64pq9.0_5 postgresql9.0-contrib postgresql9.0-devel postgresql9.0-docs postgresql9.0-plperl postgresql9.0-plpgsql postgresql9.0-pl postgresql9.0-plpython postgresql9.0-pltcl postgresql9.0 postgresql9.0-server $ ./srpm postgresql8.4 "Core Updates Testing" Media: Core Updates Testing SRPM: postgresql8.4-8.4.12-1.mga2.src.rpm ----------------------------------------- lib64ecpg8.4_6 lib64pq8.4_5 postgresql8.4-contrib postgresql8.4-devel postgresql8.4-docs postgresql8.4-plperl postgresql8.4-plpgsql postgresql8.4-pl postgresql8.4-plpython postgresql8.4-pltcl postgresql8.4 postgresql8.4-server
Created attachment 2667 [details] example webmin configuration for postgresql module
It appears the version of postgresql8.4 in mga2 testing is the same as that in updates. Olivier could you check please. Thanks.
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure feedback
Indeed, dunno what happend but I made a msitake for sure. 8.4.13 is submitted.
Thankyou :) Testing complete mga2 x86_64 for postgresql9.1 and postgresql9.0 in the meantime.
Whiteboard: MGA1TOO has_procedure feedback => MGA1TOO has_procedure
Tested postgresql8.4 now too so testing complete mga2 x86_64 Tested using webmin. Start the webmin service and log in at https://localhost:10000 Edit the postgresql module configuration as required Allow it to start the postgresql server Create a new database and click on it to enter it. Click Execute SQL Select the Run SQL from file tab Select the world.sql file from bug 6334 and click OK View the data in the tables it creates To install a different postgresql version.. eg. 8.4 to 9.1 # urpme -a postgresql8.4 postgresql8.4-server removing postgresql8.4-8.4.13-1.mga2.x86_64 postgresql8.4-server-8.4.13-1.mga2.x86_64 postgresql.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig postgresql off removing package postgresql8.4-server-8.4.13-1.mga2.x86_64 removing package postgresql8.4-8.4.13-1.mga2.x86_64 # rm -rf /var/lib/pgsql # urpmi postgresql9.1 postgresql9.1-server lib64pq9.1_5 The following package has to be removed for others to be upgraded: lib64pq8.4_5-8.4.13-1.mga2.x86_64 (due to conflicts with lib64pq9.1_5-9.1.5-1.mga2.x86_64) (y/N) y To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing") lib64pq9.1_5 9.1.5 1.mga2 x86_64 postgresql9.1 9.1.5 1.mga2 x86_64 postgresql9.1-plpgsql 9.1.5 1.mga2 x86_64 postgresql9.1-server 9.1.5 1.mga2 x86_64 22MB of additional disk space will be used. 4.4MB of packages will be retrieved. Proceed with the installation of the 4 packages? (Y/n) y
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga2-64-OK
Postgresql 9.1.5 works ok on Mageia 2 x86_64. Tested with webmin.
CC: (none) => ed_rus099
I will test now all the 3 versions on Mageia 2 x86/i568 with webmin.
Testing Mageia 1 i586 and x86-64
CC: (none) => davidwhodgins
Testing complete on Mageia 1 i586 for the srpms postgresql8.4-8.4.13-1.mga1.src.rpm postgresql9.0-9.0.9-1.mga1.src.rpm Just to clarify, the procedure used, was to configure webmin as per attachment 2667 [details], then, with postgresql and webmin running, use webmin to create the World database, select the World database, and run the sql from a file, from http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz to create and load the tables, then use webmin to view the data in the tables. Testing Mageia 1 x86-64 shortly.
Testing complete on Mageia 1 x86-64.
Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga2-64-OK MGA1-32-OK MGA1-64-OK
Just finished testing. All the versions work ok on Mageia 2 x86/i568. I created tables, DB, deleted them, etc.. Versions tested: postgresql8.4-8.4.13-1.mga2.src.rpm and .12 by mistake. postgresql9.0-9.0.9-1.mga2.src.rpm postgresql9.1-9.1.5-1.mga2.src.rpm
Whiteboard: MGA1TOO has_procedure mga2-64-OK MGA1-32-OK MGA1-64-OK => MGA1TOO has_procedure mga2-64-OK MGA1-32-OK MGA1-64-OK MGA2-32-OK
Thanks Eduard. Validating. Suggested advisory: ======================== Latest version of postgresql, including fixes for CVE-2012-3488 and CVE-2012-3489 The Postgresql team provide a new version of postgresql server fixing various bugs and multiple vulnaribilty. Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut). libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options (CVE-2012-3488). Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented feature, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane). xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker (CVE-2012-3489). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489 http://www.postgresql.org/docs/8.4/static/release-8-4-13.html http://www.postgresql.org/docs/9.0/static/release-9-0-9.html http://www.postgresql.org/docs/9.1/static/release-9-1-5.html http://www.postgresql.org/about/news/1407/ http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:139 ============================== SRPMS: postgresql8.4-8.4.13-1.mga1 postgresql9.0-9.0.9-1.mga1 postgresql8.4-8.4.13-1.mga2 postgresql9.0-9.0.9-1.mga2 postgresql9.1-9.1.5-1.mga2 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0242
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED