Summary: | <dev-db/postgresql-{9.6.17,10.12,11.7,12.2}: the ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks (CVE-2020-1720) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jaco, leio, mgorny, pgsql-bugs |
Priority: | Normal | Keywords: | CC-ARCHES |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.postgresql.org/about/news/2011/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=737032 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
=dev-db/postgresql-9.5.21 amd64 arm arm64 hppa ppc ppc64 sparc x86
=dev-db/postgresql-9.4.26 amd64 arm arm64 hppa ppc ppc64 sparc x86
|
Runtime testing required: | No |
Description
filip ambroz
2020-02-15 10:04:50 UTC
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b048f558dd7c26a0c630a2cff29d3d8981eaf6b9 https://www.debian.org/security/2020/dsa-4623 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=366e303e11e473c985f5ec470ab50cb0cc0adefe commit 366e303e11e473c985f5ec470ab50cb0cc0adefe Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2020-02-19 12:48:39 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2020-02-19 12:48:55 +0000 dev-db/postgresql: Version Bump Versions: - 9.4.26 - 9.5.21 - 9.6.17 - 10.12 - 11.7 - 12.2 Bug: https://bugs.gentoo.org/709708 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 6 + dev-db/postgresql/postgresql-10.12.ebuild | 466 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-11.7.ebuild | 468 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-12.2.ebuild | 468 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.4.26.ebuild | 480 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.5.21.ebuild | 486 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.6.17.ebuild | 491 +++++++++++++++++++++++++++++ 7 files changed, 2865 insertions(+) Please stabilize the following targets: =dev-db/postgresql-12.2 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-11.7 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-10.12 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.6.17 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 amd64 stable sparc stable ppc stable ppc64 stable ia64 stable x86 stable hppa stable arm stable Added to an existing GLSA. @ maintainer(s): Please explain why you don't want to stabilize =dev-db/postgresql-9.4.26 and =dev-db/postgresql-9.5.21 because previous 9.4.x and 9.5.x is also affected. This issue was resolved and addressed in GLSA 202003-03 at https://security.gentoo.org/glsa/202003-03 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures and 9.4.x / 9.5.x. arm64 stable So I guess this is now pending cleanup AND handling of 9.4/9.5 series (or their cleanup) Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Starting stabilization of 9.4.x/9.5,x after maintainer timeout. amd64 stable arm stable sparc stable x86 stable arm64 stable ppc stable ppc64 stable hppa stable @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b5e26ac55a72ac909ee2d830e520d7604c3097e commit 2b5e26ac55a72ac909ee2d830e520d7604c3097e Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2020-05-13 11:37:11 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2020-05-13 11:37:28 +0000 dev-db/postgresql: Cleanup old, insecure Bug: https://bugs.gentoo.org/709708 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 20 -- dev-db/postgresql/postgresql-10.10.ebuild | 465 ------------------------ dev-db/postgresql/postgresql-10.11.ebuild | 465 ------------------------ dev-db/postgresql/postgresql-10.9.ebuild | 465 ------------------------ dev-db/postgresql/postgresql-11.4.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-11.5.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-11.6.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-12.0.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-12.1.ebuild | 467 ------------------------ dev-db/postgresql/postgresql-9.4.22-r1.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.4.22.ebuild | 474 ------------------------- dev-db/postgresql/postgresql-9.4.23.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.4.24.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.4.25.ebuild | 479 ------------------------- dev-db/postgresql/postgresql-9.5.17-r1.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.5.17.ebuild | 480 ------------------------- dev-db/postgresql/postgresql-9.5.18.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.5.19.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.5.20.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.6.13-r1.ebuild | 490 -------------------------- dev-db/postgresql/postgresql-9.6.13.ebuild | 485 ------------------------- dev-db/postgresql/postgresql-9.6.14.ebuild | 490 -------------------------- dev-db/postgresql/postgresql-9.6.15.ebuild | 490 -------------------------- dev-db/postgresql/postgresql-9.6.16.ebuild | 490 -------------------------- 24 files changed, 11005 deletions(-) All done, I think. (In reply to Thomas Deutschmann from comment #13) > @ maintainer(s): Please explain why you don't want to stabilize > =dev-db/postgresql-9.4.26 and =dev-db/postgresql-9.5.21 because previous > 9.4.x and 9.5.x is also affected. Sorry for the delayed response. The reason I didn't initially include them is because neither 9.4 nor 9.5 is affected as noted in comment #1, which is a copy of https://www.postgresql.org/about/news/2011/ But, at this point, they're now old enough to be stabilized, Unable to check for sanity:
> no match for package: =dev-db/postgresql-9.4.26
|