Summary: | <dev-db/postgresql-{9.6.24,10.19,11.14,12.9,13.5,14.1}: Multiple vulnerabilities (CVE-2021-{23214,23222}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aaron W. Swenson <titanofold> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | pgsql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | No | |
Bug Depends on: | 823662 | ||
Bug Blocks: | 808984 |
Description
Aaron W. Swenson
2021-11-11 17:53:40 UTC
Unable to check for sanity:
> no match for package: dev-db/postgresql-10.19
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ac98e53d0345baa54143f226630a9512137c0c6 commit 3ac98e53d0345baa54143f226630a9512137c0c6 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2021-11-11 17:48:05 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2021-11-11 18:04:44 +0000 dev-db/postgresql: Security bump Versions bumped to: - 14.1 - 13.5 - 12.9 - 11.14 - 10.19 - 9.6.24 This is the final release of 9.6. 9.6 will be removed 30 days after the next regular release cycle or security release, whichever is first. Complete release notes available at: https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/ Security fixes: - CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle - CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle Bug: https://bugs.gentoo.org/823125 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/postgresql-10.19.ebuild | 458 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-11.14.ebuild | 455 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-12.9.ebuild | 455 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-13.5.ebuild | 467 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.6.24.ebuild | 479 +++++++++++++++++++++++++++++ 5 files changed, 2314 insertions(+) All sanity-check issues have been resolved What I use to test these packages: for p in postgresql-{9.6.24,10.19,11.14,12.9,13.5}.ebuild; do ebuild ${p} clean USE="-server" ebuild ${p} compile || break ebuild ${p} clean USE="server" FEATURES="userpriv test" LC_ALL="C" ebuild ${p} install || break ebuild ${p} clean done Maybe I misunderstand the process here but it seems 14.1 has not been updated. Is it still coming? (In reply to Holger Hoffstätte from comment #5) > Maybe I misunderstand the process here but it seems 14.1 has not been > updated. Is it still coming? I'm sorry. I should have explicitly stated that 14.1 is /not/ eligible for a rapid stable as 14.0 hasn't been stabled. sparc done amd64 done x86 done ppc done ppc64 done Keywords are not fully specified and arches are not CC-ed for the following packages: - =dev-db/postgresql-10.19 - =dev-db/postgresql-11.14 - =dev-db/postgresql-12.9 - =dev-db/postgresql-13.5 - =dev-db/postgresql-9.6.24 Affected packages removed. origin/master cf21ef6300a1912904f4de29896b89a61286120c Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: Thu Nov 18 10:11:49 2021 -0500 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: Thu Nov 18 10:11:49 2021 -0500 Parent: 1e94da60af1 dev-db/postgresql: Actually bump to 14.1 Merged: master Contained: master dev-db/postgresql: Cleanup insecure Bugs: https://bugs.gentoo.org/823125 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> 12 files changed, 5107 deletions(-) dev-db/postgresql/Manifest | 11 - dev-db/postgresql/postgresql-10.17-r2.ebuild | 459 ------------------------ dev-db/postgresql/postgresql-10.18.ebuild | 458 ------------------------ dev-db/postgresql/postgresql-11.12.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-11.13.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-12.7.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-12.8.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-13.3.ebuild | 467 ------------------------- dev-db/postgresql/postgresql-13.4.ebuild | 467 ------------------------- dev-db/postgresql/postgresql-14.0.ebuild | 467 ------------------------- dev-db/postgresql/postgresql-9.6.22-r2.ebuild | 479 -------------------------- dev-db/postgresql/postgresql-9.6.23.ebuild | 479 -------------------------- Thanks! GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=694f26b01e42989d9051936ddeae825e13b4acb3 commit 694f26b01e42989d9051936ddeae825e13b4acb3 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-19 03:33:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:39 +0000 [ GLSA 202211-04 ] PostgreSQL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/793734 Bug: https://bugs.gentoo.org/808984 Bug: https://bugs.gentoo.org/823125 Bug: https://bugs.gentoo.org/865255 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-04.xml | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) GLSA released, all done! |