from URL: The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION. The PostgreSQL project thanks Tom Lane for reporting this problem. Versions Affected: 9.6 - 12 Solution: upgrade postrgresql packages References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1720 https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1720.html https://security-tracker.debian.org/tracker/CVE-2020-1720 https://www.tenable.com/plugins/nessus/133700
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b048f558dd7c26a0c630a2cff29d3d8981eaf6b9 https://www.debian.org/security/2020/dsa-4623
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=366e303e11e473c985f5ec470ab50cb0cc0adefe commit 366e303e11e473c985f5ec470ab50cb0cc0adefe Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2020-02-19 12:48:39 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2020-02-19 12:48:55 +0000 dev-db/postgresql: Version Bump Versions: - 9.4.26 - 9.5.21 - 9.6.17 - 10.12 - 11.7 - 12.2 Bug: https://bugs.gentoo.org/709708 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 6 + dev-db/postgresql/postgresql-10.12.ebuild | 466 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-11.7.ebuild | 468 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-12.2.ebuild | 468 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.4.26.ebuild | 480 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.5.21.ebuild | 486 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.6.17.ebuild | 491 +++++++++++++++++++++++++++++ 7 files changed, 2865 insertions(+)
Please stabilize the following targets: =dev-db/postgresql-12.2 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-11.7 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-10.12 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.6.17 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
amd64 stable
sparc stable
ppc stable
ppc64 stable
ia64 stable
x86 stable
hppa stable
arm stable
Added to an existing GLSA.
@ maintainer(s): Please explain why you don't want to stabilize =dev-db/postgresql-9.4.26 and =dev-db/postgresql-9.5.21 because previous 9.4.x and 9.5.x is also affected.
This issue was resolved and addressed in GLSA 202003-03 at https://security.gentoo.org/glsa/202003-03 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures and 9.4.x / 9.5.x.
arm64 stable
So I guess this is now pending cleanup AND handling of 9.4/9.5 series (or their cleanup)
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Starting stabilization of 9.4.x/9.5,x after maintainer timeout.
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b5e26ac55a72ac909ee2d830e520d7604c3097e commit 2b5e26ac55a72ac909ee2d830e520d7604c3097e Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2020-05-13 11:37:11 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2020-05-13 11:37:28 +0000 dev-db/postgresql: Cleanup old, insecure Bug: https://bugs.gentoo.org/709708 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 20 -- dev-db/postgresql/postgresql-10.10.ebuild | 465 ------------------------ dev-db/postgresql/postgresql-10.11.ebuild | 465 ------------------------ dev-db/postgresql/postgresql-10.9.ebuild | 465 ------------------------ dev-db/postgresql/postgresql-11.4.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-11.5.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-11.6.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-12.0.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-12.1.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-9.4.22-r1.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.4.22.ebuild | 474 ------------------------- dev-db/postgresql/postgresql-9.4.23.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.4.24.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.4.25.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.5.17-r1.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.5.17.ebuild | 480 ------------------------- dev-db/postgresql/postgresql-9.5.18.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.5.19.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.5.20.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.6.13-r1.ebuild | 490 -------------------------- dev-db/postgresql/postgresql-9.6.13.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.6.14.ebuild | 490 -------------------------- dev-db/postgresql/postgresql-9.6.15.ebuild | 490 -------------------------- dev-db/postgresql/postgresql-9.6.16.ebuild | 490 -------------------------- 24 files changed, 11005 deletions(-)
All done, I think.
(In reply to Thomas Deutschmann from comment #13) > @ maintainer(s): Please explain why you don't want to stabilize > =dev-db/postgresql-9.4.26 and =dev-db/postgresql-9.5.21 because previous > 9.4.x and 9.5.x is also affected. Sorry for the delayed response. The reason I didn't initially include them is because neither 9.4 nor 9.5 is affected as noted in comment #1, which is a copy of https://www.postgresql.org/about/news/2011/ But, at this point, they're now old enough to be stabilized,
Unable to check for sanity: > no match for package: =dev-db/postgresql-9.4.26
