Bug 9617 - postgresql new security issues fixed upstream
: postgresql new security issues fixed upstream
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://www.postgresql.org/about/news/...
: has_procedure, MGA2-32-OK, MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-04 18:58 CEST by David Walser
Modified: 2013-04-06 15:29 CEST (History)
3 users (show)

See Also:
Source RPM: postgresql9.1, postgresql9.0, postgresql8.4
CVE:


Attachments

Description David Walser 2013-04-04 18:58:49 CEST
Upstream has issued an advisory today (April 4):
http://www.postgresql.org/about/news/1456/

LWN references:
http://lwn.net/Vulnerabilities/545981/
http://lwn.net/Vulnerabilities/545983/
http://lwn.net/Vulnerabilities/545984/

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-05 14:32:01 CEST
Fixed in Cauldron:
postgresql8.4-8.4.17-1.mga3
postgresql9.0-9.0.13-1.mga3
postgresql9.1-9.1.9-1.mga3
postgresql9.2-9.2.4-1.mga3
Comment 2 David Walser 2013-04-05 14:46:22 CEST
Updated packages uploaded for Mageia 2.  Thanks Funda!

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x
before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a
denial of service (file corruption), and allows remote authenticated users
to modify configuration settings and execute arbitrary code, via a
connection request using a database name that begins with a "-" (hyphen)
(CVE-2013-1899).

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and
8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random
numbers, which might allow remote authenticated users to have an unspecified
impact via vectors related to the "contrib/pgcrypto functions"
(CVE-2013-1900).

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check
REPLICATION privileges, which allows remote authenticated users to bypass
intended backup restrictions by calling the (1) pg_start_backup or (2)
pg_stop_backup functions (CVE-2013-1901).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901
http://www.postgresql.org/about/news/1456/
http://www.ubuntu.com/usn/usn-1789-1/
========================

Updated packages in core/updates_testing:
========================
postgresql8.4-8.4.17-1.mga2
libpq8.4_5-8.4.17-1.mga2
libecpg8.4_6-8.4.17-1.mga2
postgresql8.4-server-8.4.17-1.mga2
postgresql8.4-docs-8.4.17-1.mga2
postgresql8.4-contrib-8.4.17-1.mga2
postgresql8.4-devel-8.4.17-1.mga2
postgresql8.4-pl-8.4.17-1.mga2
postgresql8.4-plpython-8.4.17-1.mga2
postgresql8.4-plperl-8.4.17-1.mga2
postgresql8.4-pltcl-8.4.17-1.mga2
postgresql8.4-plpgsql-8.4.17-1.mga2
postgresql9.0-9.0.13-1.mga2
libpq9.0_5-9.0.13-1.mga2
libecpg9.0_6-9.0.13-1.mga2
postgresql9.0-server-9.0.13-1.mga2
postgresql9.0-docs-9.0.13-1.mga2
postgresql9.0-contrib-9.0.13-1.mga2
postgresql9.0-devel-9.0.13-1.mga2
postgresql9.0-pl-9.0.13-1.mga2
postgresql9.0-plpython-9.0.13-1.mga2
postgresql9.0-plperl-9.0.13-1.mga2
postgresql9.0-pltcl-9.0.13-1.mga2
postgresql9.0-plpgsql-9.0.13-1.mga2
postgresql9.1-9.1.9-1.mga2
libpq9.1_5-9.1.9-1.mga2
libecpg9.1_6-9.1.9-1.mga2
postgresql9.1-server-9.1.9-1.mga2
postgresql9.1-docs-9.1.9-1.mga2
postgresql9.1-contrib-9.1.9-1.mga2
postgresql9.1-devel-9.1.9-1.mga2
postgresql9.1-pl-9.1.9-1.mga2
postgresql9.1-plpython-9.1.9-1.mga2
postgresql9.1-plperl-9.1.9-1.mga2
postgresql9.1-pltcl-9.1.9-1.mga2
postgresql9.1-plpgsql-9.1.9-1.mga2

from SRPMS:
postgresql8.4-8.4.17-1.mga2.src.rpm
postgresql9.0-9.0.13-1.mga2.src.rpm
postgresql9.1-9.1.9-1.mga2.src.rpm
Comment 3 claire robinson 2013-04-05 15:50:10 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8997#c1

Testing mga2 32
Comment 4 claire robinson 2013-04-05 17:00:34 CEST
Testing complete mga2 32
Comment 5 Marc Lattemann 2013-04-05 23:39:28 CEST
testing complete for 9.1, 9.0 and 8.4 using procedure from comment 3 for x86_64

validating updates.

see comment 2 for advisory and SRPMS.

Could sysadmin push packages to Updates?
Comment 6 Thomas Backlund 2013-04-06 15:29:25 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0112

Note You need to log in before you can comment on or make changes to this bug.