Summary: | <dev-db/postgresql-{9.2.24,9.3.20,9.4.15,9.5.10,9.6.6} - multiple vulnerabilities (CVE-2017-{12172,15098,15099}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aaron W. Swenson <titanofold> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | Flags: | stable-bot:
sanity-check+
|
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.postgresql.org/about/news/1801/ | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Aaron W. Swenson
2017-11-09 16:24:33 UTC
Committed: commit b7f8856d754e8ddeecde825cb4275bd48e645496 (HEAD -> master, origin/master, origin/HEAD) Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Thu Nov 9 11:30:20 2017 -0500 dev-db/postgresql: Security Bump (Bug 636978) Security-related version bump to: * 10.1 * 9.6.6 * 9.5.10 * 9.4.15 * 9.3.20 * 9.2.24 Headlines from the release announcement[1]: * CVE-2017-12172: Start scripts permit database administrator to modify root-owned files (Gentoo is unaffected) * CVE-2017-15098: Memory disclosure in JSON functions * CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges [1]: https://www.postgresql.org/about/news/1801/ Gentoo-Bug: https://bugs.gentoo.org/636978 Package-Manager: Portage-2.3.8, Repoman-2.3.3 Stabilization targets: =dev-db/postgresql-9.6.6 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.5.10 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.4.15 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.3.20 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.2.24 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 ppc/ppc64 stable x86 stable amd64 stable Stable on alpha. arm stable @Maintainer any particular reason why hppa was not CCed in stabilization request? HPPA and Sparc both have stable versions affected on almost every SLOT available. Thank you, (In reply to Christopher Díaz Riveros from comment #7) > @Maintainer any particular reason why hppa was not CCed in stabilization > request? > > HPPA and Sparc both have stable versions affected on almost every SLOT > available. > > Thank you, HPPA is pretty far behind the rest of the arches, and there was supposed to be some discussion about whether or not HPPA should be downgraded to an unstable arch right around when this was released. Looks like nothing came of it. Just waiting on HPPA and IA64 now. =dev-db/postgresql-9.6.6 ~hppa ~ia64 =dev-db/postgresql-9.5.10 ~hppa ~ia64 =dev-db/postgresql-9.4.15 ~hppa ~ia64 =dev-db/postgresql-9.3.20 ~hppa ~ia64 =dev-db/postgresql-9.2.24 ~hppa ~ia64 An automated check of this bug failed - repoman reported dependency errors (35 lines truncated):
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
An automated check of this bug succeeded - the previous repoman errors are now resolved. sparc stable (thanks to Rolf Eike Beer) ia64 stable @security, Adjusting Severity to agree with Whiteboard. Gentoo Security Padawan (Jmbailey/mbailey_j) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850efe2a5700c2ba30f9e9860dd83143cf15da34 commit 850efe2a5700c2ba30f9e9860dd83143cf15da34 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-02-11 15:54:10 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-02-11 15:54:38 +0000 dev-db/postgresql: Cleanup Old and Insecure Files Bug: https://bugs.gentoo.org/627462 Bug: https://bugs.gentoo.org/636978 Bug: https://bugs.gentoo.org/630824 Bug: https://bugs.gentoo.org/603720 Bug: https://bugs.gentoo.org/603716 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-db/postgresql/Manifest | 6 - .../files/postgresql-9.2-9.4-tz-dir-overflow.patch | 16 - dev-db/postgresql/files/postgresql.confd | 58 --- dev-db/postgresql/files/postgresql.init | 137 ------- dev-db/postgresql/files/postgresql.init-9.3 | 142 ------- dev-db/postgresql/files/postgresql.service | 55 --- dev-db/postgresql/files/postgresql.service-9.6 | 56 --- dev-db/postgresql/postgresql-9.2.19.ebuild | 390 ------------------ dev-db/postgresql/postgresql-9.2.22.ebuild | 441 -------------------- dev-db/postgresql/postgresql-9.2.23-r1.ebuild | 445 --------------------- dev-db/postgresql/postgresql-9.2.23.ebuild | 441 -------------------- dev-db/postgresql/postgresql-9.3.15.ebuild | 395 ------------------ dev-db/postgresql/postgresql-9.4.10.ebuild | 427 -------------------- dev-db/postgresql/postgresql-9.5.5.ebuild | 438 -------------------- 14 files changed, 3447 deletions(-)} commit 3b3ec30d0b02920ec76eeef4db2a968c3a907d23 Author: Jeroen Roovers <jer@gentoo.org> Date: Sun Feb 11 13:09:46 2018 +0100 dev-db/postgresql: Stable for HPPA too. All affected versions removed. GLSA Vote: No Tree is clean |