Summary: | <dev-db/postgresql-{9.3.22,9.4.17,9.5.12,9.6.8,10.3} - Schema Name trojan-horse attack (CVE-2018-1058) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aaron W. Swenson <titanofold> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | esigra, hydrapolic, leio, pgsql-bugs |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.postgresql.org/about/news/1834/ | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
dev-db/postgresql-9.3.22
dev-db/postgresql-9.4.17
dev-db/postgresql-9.5.12
dev-db/postgresql-9.6.8
dev-db/postgresql-10.3
|
Runtime testing required: | No |
Bug Depends on: | |||
Bug Blocks: | 647246 |
Description
Aaron W. Swenson
2018-03-01 22:40:39 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64d29b8d6c50d098caebdf8df6cec58375d2ec55 commit 64d29b8d6c50d098caebdf8df6cec58375d2ec55 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-03-01 22:46:29 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-03-01 22:46:50 +0000 dev-db/postgresql: Security Bump Mitigates a “trojan-horse” attack based on schema names. Security bump to: - 10.3 - 9.6.8 - 9.5.12 - 9.4.17 - 9.3.22 See PostgreSQL’s wiki article for a complete explanation of the vulnerability: https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path Bug: https://bugs.gentoo.org/649288 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-db/postgresql/Manifest | 5 + dev-db/postgresql/postgresql-10.3.ebuild | 460 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.3.22.ebuild | 450 ++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.4.17.ebuild | 482 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.5.12.ebuild | 488 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.6.8.ebuild | 493 +++++++++++++++++++++++++++++ 6 files changed, 2378 insertions(+)} Please stabilize: =dev-db/postgresql-10.3 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.6.8 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.5.12 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.4.17 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.3.22 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 To test client-only, build/install is typically enough. Optionally, use psql to connect to a server: USE="-server" emerge dev-db/postgresql:{9.{3..6},10} To test server: FEATURES="userpriv test" USE="server" emerge dev-db/postgresql:{9.{3..6},10} amd64 stable arm64 doesn't have any stable versions, not sure why we are CCed; add back if I missed something. Note though that we'll want to carry stable keywords on postgres at some later point in the not too distant future - it's used on servers. But that'll be a newstable and probably 9.5+ only (or only 10/11) and the version at first that amd64 has last stable in the slot at the time. ia64 stable x86 stable Stable on alpha. arm stable ppc/ppc64 stable (In reply to Tobias Klausmann from comment #7) > Stable on alpha. Missed dev-db/postgresql-9.6.8 (In reply to Aaron W. Swenson from comment #10) > (In reply to Tobias Klausmann from comment #7) > > Stable on alpha. > > Missed dev-db/postgresql-9.6.8 Fixed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30cbf998dc97248b11f16c87c56d816a8cf9fe55 commit 30cbf998dc97248b11f16c87c56d816a8cf9fe55 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-19 18:08:02 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-19 18:15:05 +0000 dev-db/postgresql: stable 10.3 for sparc Bug: https://bugs.gentoo.org/649288 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-db/postgresql/postgresql-10.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1043f61b432a8d612d935fc1d63851d703f4cc9f commit 1043f61b432a8d612d935fc1d63851d703f4cc9f Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-19 18:06:48 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-19 18:15:05 +0000 dev-db/postgresql: stable 9.6.8 for sparc Bug: https://bugs.gentoo.org/649288 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-db/postgresql/postgresql-9.6.8.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d6d7237e19bcd3b23b3892b46dabe514c209214 commit 7d6d7237e19bcd3b23b3892b46dabe514c209214 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-19 18:05:34 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-19 18:15:05 +0000 dev-db/postgresql: stable 9.5.12 for sparc Bug: https://bugs.gentoo.org/649288 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-db/postgresql/postgresql-9.5.12.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=805a8c1d7a566dec44b9fbc1d0f6bff56fc802fc commit 805a8c1d7a566dec44b9fbc1d0f6bff56fc802fc Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-19 18:04:20 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-19 18:15:05 +0000 dev-db/postgresql: stable 9.4.17 for sparc Bug: https://bugs.gentoo.org/649288 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-db/postgresql/postgresql-9.4.17.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3a41fc4d12d1519c83302bd3d9be654acaa31d3 commit e3a41fc4d12d1519c83302bd3d9be654acaa31d3 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-19 18:03:07 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-19 18:15:04 +0000 dev-db/postgresql: stable 9.3.22 for sparc Bug: https://bugs.gentoo.org/649288 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-db/postgresql/postgresql-9.3.22.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) hppa is now exp and no longer security supported. @maintainer(s), please clean the vulnerable ebuilds. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=389ff0cbbc0887419892791e1e136466b0fde120 commit 389ff0cbbc0887419892791e1e136466b0fde120 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-05-20 09:41:47 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-05-20 09:41:47 +0000 dev-db/postgresql: Cleanup insecure Bug: https://bugs.gentoo.org/649288 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-db/postgresql/Manifest | 6 - .../files/postgresql-10beta2-no-server.patch | 146 ------ dev-db/postgresql/postgresql-10.1.ebuild | 460 ------------------- dev-db/postgresql/postgresql-9.3.20.ebuild | 450 ------------------- dev-db/postgresql/postgresql-9.4.15.ebuild | 482 -------------------- dev-db/postgresql/postgresql-9.5.10.ebuild | 488 -------------------- dev-db/postgresql/postgresql-9.6.6.ebuild | 493 --------------------- dev-db/postgresql/postgresql-9.6.7.ebuild | 493 --------------------- 8 files changed, 3018 deletions(-) (In reply to Larry the Git Cow from comment #14) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=389ff0cbbc0887419892791e1e136466b0fde120 > > commit 389ff0cbbc0887419892791e1e136466b0fde120 > Author: Aaron W. Swenson <titanofold@gentoo.org> > AuthorDate: 2018-05-20 09:41:47 +0000 > Commit: Aaron W. Swenson <titanofold@gentoo.org> > CommitDate: 2018-05-20 09:41:47 +0000 > > dev-db/postgresql: Cleanup insecure > > Bug: https://bugs.gentoo.org/649288 > Package-Manager: Portage-2.3.24, Repoman-2.3.6 > > dev-db/postgresql/Manifest | 6 - > .../files/postgresql-10beta2-no-server.patch | 146 ------ > dev-db/postgresql/postgresql-10.1.ebuild | 460 ------------------- > dev-db/postgresql/postgresql-9.3.20.ebuild | 450 ------------------- > dev-db/postgresql/postgresql-9.4.15.ebuild | 482 > -------------------- > dev-db/postgresql/postgresql-9.5.10.ebuild | 488 > -------------------- > dev-db/postgresql/postgresql-9.6.6.ebuild | 493 > --------------------- > dev-db/postgresql/postgresql-9.6.7.ebuild | 493 > --------------------- > 8 files changed, 3018 deletions(-) Thanks, Aaron! |