Bug 62619 (suse47619)

Summary: VUL-0: PostgreSQL Security Release(s) for 7.2, 7.3 and 7.4
Product: [Novell Products] SUSE Security Incidents Reporter: Reinhard Max <max>
Component: IncidentsAssignee: Reinhard Max <max>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: aj, mls, rf, security-team, thomas
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo-sles8_ul.psql
patchinfo.psql
patchinfo-box.psql

Description Reinhard Max 2004-10-26 18:23:57 UTC 
--- snip (http://www.postgresql.org/news/234.html)
Posted on 2004-10-23
Posted by press at PostgreSQL.org

In order to address a recent security report from iDefence, we have released 3
new "point" releases: 7.2.6, 7.3.8 and 7.4.6

Although rated only a Medium risk, according to their web site: "A vulnerability
exists due to the insecure creation of temporary files, which could possibly let
a malicious user overwrite arbitrary files."

Also in these releases is a potential 'data loss' bug that was recently identified:

* Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not access
transaction status" failures, which qualifies it as a potential-data-loss bug. 
--- snap ---

Affected versions:

SLES8 ships with PostgreSQL 7.2.2 and would be updated to 7.2.6
SLES9 ships with PostgreSQL 7.4.2 and would be updated to 7.4.6

Also, all box products which are still getting YOU updates are affected and
should be updated.
Comment 1 Reinhard Max 2004-10-29 16:41:10 UTC 
*** Bug 62772 has been marked as a duplicate of this bug. ***
Comment 2 Reinhard Max 2004-11-03 00:55:09 UTC 
Awaiting aproval by PM.
Comment 3 Reinhard Max 2004-11-16 19:25:44 UTC 
Ralf?
Andreas?
Comment 4 Marcus Meissner 2004-11-17 18:42:04 UTC 
hello ralf, please state whether we Reinhard upgrade or not.
Comment 5 Ralf Flaxa 2004-11-22 23:10:19 UTC 
What are all the other changes between 7.2.2 and 7.2.6 (7.4.2 and 7.4.6). 
If you want to avoid answering this question the please just backport 
the one security fix.
Comment 6 Reinhard Max 2004-11-23 00:04:23 UTC 
There have been other security and major bug fixes.

The PostgrSQL-Team does a very good job in only patching things that need
patching in their patch releases and making sure that the latest patch release
is a drop-in replacement for it's successors with the same mior release number.
I completely trust them when they advise all users of the respective minor
versions to upgrade to the latest patch releases.

So IMHO there are two ways to proceed with this bug, either update to the latest
patch release or CLOSE WONTFIX.
Comment 7 Marcus Meissner 2004-11-26 21:46:11 UTC 
The only security fix in 7.2.5 - 7.2.6 is in "make_oidjoins_check", a contrib 
script and it is minor temprace fix. 
 
In 7.2.4 -> 7.2.5 is one that looks more problematic, but I cannot evaluate 
easily how problematic without reviewing lots of postgresql source. 
 
The whole patch looks clean to me too.
Comment 8 Thomas Biege 2004-12-06 20:07:47 UTC 
Ok, then let's apply this one. :)
Comment 9 Ralf Flaxa 2004-12-14 01:11:16 UTC 
Which one? 
And as kukuk just correctly stated this is a security update, 
so it does not go the SP1 path and thus does not need my 
approval. I am fine with the version update.
Comment 10 Michael Schröder 2004-12-16 00:53:12 UTC 
Up to now I have only a 9.1 postgresql package and a SLES9 patchinfo file.
I also need packages for 8.1, 8.2, 9.0, 9.2. And a patchinfo for the box
products.
Comment 11 Thomas Biege 2005-01-11 00:08:01 UTC 
CAN-2004-0977
Comment 12 Thomas Biege 2005-01-11 00:20:28 UTC 
swamp id:  85
Comment 13 Marcus Meissner 2005-01-11 00:21:53 UTC 
havent we released those already? 
 
puzzling
Comment 14 Thomas Biege 2005-01-11 00:26:05 UTC 
uh... did we? :(
Comment 15 Thomas Biege 2005-01-11 00:26:56 UTC 
we did... can it be closed?
Comment 16 Thomas Biege 2005-01-11 00:28:39 UTC 
that explains the low swamp id :)
Comment 17 Reinhard Max 2005-01-11 00:30:38 UTC 
I had to re-submit the patchinfo files for the box products today, so at least
the updates for the boxed products are not released yet. And I also got a
question on the SLES patchinfo files today, so they also still seem to be in the
process.
Comment 18 Marcus Meissner 2005-01-11 00:33:23 UTC 
??????? 
 
i released postgresql 8.1 - 9.2 updates on Jan 5th fixing 
bug 62619  ... so haeh?
Comment 19 Thomas Biege 2005-01-11 00:35:09 UTC 
Created attachment 27511 [details]
patchinfo-sles8_ul.psql
Comment 20 Thomas Biege 2005-01-11 00:35:29 UTC 
Created attachment 27512 [details]
patchinfo.psql
Comment 21 Thomas Biege 2005-01-11 00:35:49 UTC 
Created attachment 27513 [details]
patchinfo-box.psql
Comment 22 Reinhard Max 2005-01-11 00:38:59 UTC 
Stop that! I have submitted patchinfo files for this already.
Marcus, are you the last person to touch security updates before they hit the
FTP server?
Comment 23 Marcus Meissner 2005-01-11 00:43:35 UTC 
whoever approves updates does. 
 
for the security team either the incident manager or the responsible person. 
 
since the resubmitted patchinfo files just fix a packageinfo flaw, whoever 
fixed it (rudi or harald or someone) can do this too. 
 
 
 
The new patchinfos are unrelated to this bug which I really guess has been 
fixed with the update we did?
Comment 24 Marcus Meissner 2005-01-11 00:55:10 UTC 
updates released on jan 5th, just forgot to close this report. 
 
cleared patchinfo technical issues with reinhard and hmuelle.