Summary: | <dev-db/postgresql-{10.22,11.17,12.12,13.8,14.5}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aaron W. Swenson <titanofold> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | pgsql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 865327 | ||
Bug Blocks: |
Description
Aaron W. Swenson
2022-08-15 16:46:41 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b02edae84b979b6a303de9a9410a57bfa33386d3 commit b02edae84b979b6a303de9a9410a57bfa33386d3 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2022-08-15 16:52:47 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2022-08-15 16:52:47 +0000 dev-db/postgresql: Security bump Vulnerability CVE-2022-2625 addressed by bump to: - 10.22 - 11.17 - 12.12 - 13.8 - 14.5 - 15_beta3 Also, pgbench is installed with -server again. Removed unused eclasses multilib and prefix. Bug: https://bugs.gentoo.org/865255 Closes: https://bugs.gentoo.org/860360 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 6 + .../files/postgresql-13.8-no-server.patch | 144 +++++++ .../files/postgresql-14.5-no-server.patch | 146 +++++++ .../files/postgresql-15_beta3-no-server.patch | 146 +++++++ dev-db/postgresql/postgresql-10.22.ebuild | 453 ++++++++++++++++++++ dev-db/postgresql/postgresql-11.17.ebuild | 453 ++++++++++++++++++++ dev-db/postgresql/postgresql-12.12.ebuild | 453 ++++++++++++++++++++ dev-db/postgresql/postgresql-13.8.ebuild | 465 +++++++++++++++++++++ dev-db/postgresql/postgresql-14.5.ebuild | 462 ++++++++++++++++++++ dev-db/postgresql/postgresql-15_beta3.ebuild | 464 ++++++++++++++++++++ dev-db/postgresql/postgresql-9999.ebuild | 7 +- 11 files changed, 3195 insertions(+), 4 deletions(-) Thanks! Please stabilize when ready Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92634e10850338c32fa7b3f7751fd83c3a22bee8 commit 92634e10850338c32fa7b3f7751fd83c3a22bee8 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2022-08-18 11:22:38 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2022-08-18 11:22:38 +0000 dev-db/postgresql: Cleanup insecure Bug: https://bugs.gentoo.org/865255 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/Manifest | 16 - dev-db/postgresql/files/postgres-llvm14.patch | 154 ------- .../files/postgresql-13_beta1-no-server.patch | 149 ------- .../files/postgresql-14_rc1-no-server.patch | 151 ------- .../files/postgresql-9.6.3-no-server.patch | 141 ------- dev-db/postgresql/postgresql-10.19-r1.ebuild | 453 -------------------- dev-db/postgresql/postgresql-10.20-r1.ebuild | 453 -------------------- dev-db/postgresql/postgresql-10.21.ebuild | 453 -------------------- dev-db/postgresql/postgresql-11.14-r1.ebuild | 453 -------------------- dev-db/postgresql/postgresql-11.15-r1.ebuild | 453 -------------------- dev-db/postgresql/postgresql-11.16.ebuild | 453 -------------------- dev-db/postgresql/postgresql-12.10-r1.ebuild | 454 -------------------- dev-db/postgresql/postgresql-12.11.ebuild | 453 -------------------- dev-db/postgresql/postgresql-12.9-r1.ebuild | 454 -------------------- dev-db/postgresql/postgresql-13.5-r1.ebuild | 466 --------------------- dev-db/postgresql/postgresql-13.6-r2.ebuild | 466 --------------------- dev-db/postgresql/postgresql-13.7.ebuild | 465 -------------------- dev-db/postgresql/postgresql-14.1-r1.ebuild | 466 --------------------- dev-db/postgresql/postgresql-14.2-r1.ebuild | 463 -------------------- dev-db/postgresql/postgresql-14.4.ebuild | 462 -------------------- dev-db/postgresql/postgresql-15_beta2.ebuild | 464 -------------------- 21 files changed, 7942 deletions(-) CVE-2022-1552: A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity. Fixed in 14.3, 13.7, 12.11, 11.16, and 10.21 according to: https://www.postgresql.org/about/news/postgresql-143-137-1211-1116-and-1021-released-2449/ GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=694f26b01e42989d9051936ddeae825e13b4acb3 commit 694f26b01e42989d9051936ddeae825e13b4acb3 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-19 03:33:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:39 +0000 [ GLSA 202211-04 ] PostgreSQL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/793734 Bug: https://bugs.gentoo.org/808984 Bug: https://bugs.gentoo.org/823125 Bug: https://bugs.gentoo.org/865255 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-04.xml | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) GLSA released, all done! |