The PostgreSQL Global Development Group has released a security update to all current versions of the PostgreSQL database system, including versions 9.2.3, 9.1.8, 9.0.12, 8.4.16, and 8.3.23. This update fixes a denial-of-service (DOS) vulnerability. All users should update their PostgreSQL installations as soon as possible. The security issue fixed in this release, CVE-2013-0255, allows a previously authenticated user to crash the server by calling an internal function with invalid arguments. This issue was discovered by independent security researcher Sumit Soni this week and reported via Secunia SVCRP, and we are grateful for their efforts in making PostgreSQL more secure.
Testing procedure here, once webmin is configured. https://bugs.mageia.org/show_bug.cgi?id=6334#c2 Use webmin to run the sql from http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz to create the tables, and view the data. Delete /var/lib/pgsql before starting the next version for testing. postgresql8.4-8.4.16-1.mga2 postgresql9.0-9.0.12-1.mga2 postgresql9.1-9.1.8-1.mga2 SRPM: postgresql8.4-8.4.16-1.mga2.src.rpm ----------------------------------------- lib64ecpg8.4_6 lib64pq8.4_5 postgresql8.4-contrib postgresql8.4-devel postgresql8.4-docs postgresql8.4-plperl postgresql8.4-plpgsql postgresql8.4-pl postgresql8.4-plpython postgresql8.4-pltcl postgresql8.4 postgresql8.4-server SRPM: postgresql9.0-9.0.12-1.mga2.src.rpm ----------------------------------------- lib64ecpg9.0_6 lib64pq9.0_5 postgresql9.0-contrib postgresql9.0-devel postgresql9.0-docs postgresql9.0-plperl postgresql9.0-plpgsql postgresql9.0-pl postgresql9.0-plpython postgresql9.0-pltcl postgresql9.0 postgresql9.0-server SRPM: postgresql9.1-9.1.8-1.mga2.src.rpm ---------------------------------------- lib64ecpg9.1_6 lib64pq9.1_5 postgresql9.1-contrib postgresql9.1-devel postgresql9.1-docs postgresql9.1-plperl postgresql9.1-plpgsql postgresql9.1-pl postgresql9.1-plpython postgresql9.1-pltcl postgresql9.1 postgresql9.1-server Adding David in case he wants to add to the advisory.
CC: (none) => luigiwalser
Whiteboard: (none) => has_procedure
Fedora has issued an advisory for this on February 8: http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html If you want to use the slightly more condensed advisory from their bugzilla, here it is. Advisory: ======================== Updated postgresql packages fix security vulnerability: An array index error, leading to out of heap-based buffer bounds read flaw was found in the way PostgreSQL, an advanced Object-Relational database management system (DBMS), performed retrieval of textual form of error message representation when processing certain enumeration types. An unprivileged database user could issue a specially-crafted SQL query that, when processed by the server component of the PostgreSQL service, would lead to denial of service (daemon crash) or disclosure (of certain portions of) server memory (CVE-2013-0255). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0255 http://www.postgresql.org/about/news/1446/ http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html
URL: http://www.postgresql.org/about/news/1446/ => http://lwn.net/Vulnerabilities/537358/
Testing complete mga2 64 Postgresql8.4, 9.0 & 9.1
Whiteboard: has_procedure => has_procedure mga2-64-ok
Testing mga2 32 also
Testing complete mga2 32 Validating SRPMs: postgresql8.4-8.4.16-1.mga2 postgresql9.0-9.0.12-1.mga2 postgresql9.1-9.1.8-1.mga2 Advisory in comment 2 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
Update pushed; https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0049
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED