Bug 8997 - [Update Request] Postgresql packages to fix CVE-2013-0255
Summary: [Update Request] Postgresql packages to fix CVE-2013-0255
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/537358/
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-02-08 09:36 CET by Funda Wang
Modified: 2013-02-13 00:57 CET (History)
3 users (show)

See Also:
Source RPM: postgresql9.1-9.1.8-1.mga2, postgresql9.0-9.0.12-1.mga2, postgresql8.4-8.4.16-1.mga2
CVE:
Status comment:


Attachments

Description Funda Wang 2013-02-08 09:36:25 CET
The PostgreSQL Global Development Group has released a security update to all current versions of the PostgreSQL database system, including versions 9.2.3, 9.1.8, 9.0.12, 8.4.16, and 8.3.23. This update fixes a denial-of-service (DOS) vulnerability. All users should update their PostgreSQL installations as soon as possible.

The security issue fixed in this release, CVE-2013-0255, allows a previously authenticated user to crash the server by calling an internal function with invalid arguments. This issue was discovered by independent security researcher Sumit Soni this week and reported via Secunia SVCRP, and we are grateful for their efforts in making PostgreSQL more secure.
Comment 1 claire robinson 2013-02-08 10:40:47 CET
Testing procedure here, once webmin is configured.
https://bugs.mageia.org/show_bug.cgi?id=6334#c2

Use webmin to run the sql from
http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz
to create the tables, and view the data.

Delete /var/lib/pgsql before starting the next
version for testing.

postgresql8.4-8.4.16-1.mga2
postgresql9.0-9.0.12-1.mga2
postgresql9.1-9.1.8-1.mga2

SRPM: postgresql8.4-8.4.16-1.mga2.src.rpm
-----------------------------------------
lib64ecpg8.4_6
lib64pq8.4_5
postgresql8.4-contrib
postgresql8.4-devel
postgresql8.4-docs
postgresql8.4-plperl
postgresql8.4-plpgsql
postgresql8.4-pl
postgresql8.4-plpython
postgresql8.4-pltcl
postgresql8.4
postgresql8.4-server


SRPM: postgresql9.0-9.0.12-1.mga2.src.rpm
-----------------------------------------
lib64ecpg9.0_6
lib64pq9.0_5
postgresql9.0-contrib
postgresql9.0-devel
postgresql9.0-docs
postgresql9.0-plperl
postgresql9.0-plpgsql
postgresql9.0-pl
postgresql9.0-plpython
postgresql9.0-pltcl
postgresql9.0
postgresql9.0-server


SRPM: postgresql9.1-9.1.8-1.mga2.src.rpm
----------------------------------------
lib64ecpg9.1_6
lib64pq9.1_5
postgresql9.1-contrib
postgresql9.1-devel
postgresql9.1-docs
postgresql9.1-plperl
postgresql9.1-plpgsql
postgresql9.1-pl
postgresql9.1-plpython
postgresql9.1-pltcl
postgresql9.1
postgresql9.1-server

Adding David in case he wants to add to the advisory.

CC: (none) => luigiwalser

claire robinson 2013-02-08 11:16:09 CET

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2013-02-11 22:48:44 CET
Fedora has issued an advisory for this on February 8:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html

If you want to use the slightly more condensed advisory from their bugzilla,
here it is.

Advisory:
========================

Updated postgresql packages fix security vulnerability:

An array index error, leading to out of heap-based buffer bounds read flaw was
found in the way PostgreSQL, an advanced Object-Relational database management
system (DBMS), performed retrieval of textual form of error message
representation when processing certain enumeration types. An unprivileged
database user could issue a specially-crafted SQL query that, when processed
by the server component of the PostgreSQL service, would lead to denial of
service (daemon crash) or disclosure (of certain portions of) server memory
(CVE-2013-0255).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0255
http://www.postgresql.org/about/news/1446/
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html

URL: http://www.postgresql.org/about/news/1446/ => http://lwn.net/Vulnerabilities/537358/

Comment 3 claire robinson 2013-02-12 13:56:35 CET
Testing complete mga2 64

Postgresql8.4, 9.0 & 9.1

Whiteboard: has_procedure => has_procedure mga2-64-ok

Comment 4 claire robinson 2013-02-12 14:02:01 CET
Testing mga2 32 also
Comment 5 claire robinson 2013-02-12 14:48:30 CET
Testing complete mga2 32

Validating

SRPMs:
postgresql8.4-8.4.16-1.mga2
postgresql9.0-9.0.12-1.mga2
postgresql9.1-9.1.8-1.mga2

Advisory in comment 2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok

Comment 6 Thomas Backlund 2013-02-13 00:57:13 CET
Update pushed;
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0049

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.