Upstream has issued an advisory today (April 4): http://www.postgresql.org/about/news/1456/ LWN references: http://lwn.net/Vulnerabilities/545981/ http://lwn.net/Vulnerabilities/545983/ http://lwn.net/Vulnerabilities/545984/ Mageia 2 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Fixed in Cauldron: postgresql8.4-8.4.17-1.mga3 postgresql9.0-9.0.13-1.mga3 postgresql9.1-9.1.9-1.mga3 postgresql9.2-9.2.4-1.mga3
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Updated packages uploaded for Mageia 2. Thanks Funda! Advisory: ======================== Updated postgresql packages fix security vulnerabilities: Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen) (CVE-2013-1899). PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions" (CVE-2013-1900). PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions (CVE-2013-1901). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901 http://www.postgresql.org/about/news/1456/ http://www.ubuntu.com/usn/usn-1789-1/ ======================== Updated packages in core/updates_testing: ======================== postgresql8.4-8.4.17-1.mga2 libpq8.4_5-8.4.17-1.mga2 libecpg8.4_6-8.4.17-1.mga2 postgresql8.4-server-8.4.17-1.mga2 postgresql8.4-docs-8.4.17-1.mga2 postgresql8.4-contrib-8.4.17-1.mga2 postgresql8.4-devel-8.4.17-1.mga2 postgresql8.4-pl-8.4.17-1.mga2 postgresql8.4-plpython-8.4.17-1.mga2 postgresql8.4-plperl-8.4.17-1.mga2 postgresql8.4-pltcl-8.4.17-1.mga2 postgresql8.4-plpgsql-8.4.17-1.mga2 postgresql9.0-9.0.13-1.mga2 libpq9.0_5-9.0.13-1.mga2 libecpg9.0_6-9.0.13-1.mga2 postgresql9.0-server-9.0.13-1.mga2 postgresql9.0-docs-9.0.13-1.mga2 postgresql9.0-contrib-9.0.13-1.mga2 postgresql9.0-devel-9.0.13-1.mga2 postgresql9.0-pl-9.0.13-1.mga2 postgresql9.0-plpython-9.0.13-1.mga2 postgresql9.0-plperl-9.0.13-1.mga2 postgresql9.0-pltcl-9.0.13-1.mga2 postgresql9.0-plpgsql-9.0.13-1.mga2 postgresql9.1-9.1.9-1.mga2 libpq9.1_5-9.1.9-1.mga2 libecpg9.1_6-9.1.9-1.mga2 postgresql9.1-server-9.1.9-1.mga2 postgresql9.1-docs-9.1.9-1.mga2 postgresql9.1-contrib-9.1.9-1.mga2 postgresql9.1-devel-9.1.9-1.mga2 postgresql9.1-pl-9.1.9-1.mga2 postgresql9.1-plpython-9.1.9-1.mga2 postgresql9.1-plperl-9.1.9-1.mga2 postgresql9.1-pltcl-9.1.9-1.mga2 postgresql9.1-plpgsql-9.1.9-1.mga2 from SRPMS: postgresql8.4-8.4.17-1.mga2.src.rpm postgresql9.0-9.0.13-1.mga2.src.rpm postgresql9.1-9.1.9-1.mga2.src.rpm
CC: (none) => fundawangAssignee: fundawang => qa-bugsSeverity: normal => critical
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8997#c1 Testing mga2 32
Whiteboard: (none) => has_procedure
Testing complete mga2 32
Source RPM: postgresql9.2, postgresql9.1, postgresql9.0, postgresql8.4 => postgresql9.1, postgresql9.0, postgresql8.4Whiteboard: has_procedure => has_procedure mga2-32-OK
testing complete for 9.1, 9.0 and 8.4 using procedure from comment 3 for x86_64 validating updates. see comment 2 for advisory and SRPMS. Could sysadmin push packages to Updates?
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-32-OK => has_procedure, MGA2-32-OK, MGA2-64-OKCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0112
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED