New upstream microreleases 9.3.21, 9.5.11 and 9.6.7

Bug #1747676 reported by Christian Ehrhardt  on 2018-02-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-10 (Ubuntu)
Undecided
Unassigned
postgresql-9.3 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
postgresql-9.5 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
postgresql-9.6 (Ubuntu)
Undecided
Unassigned
Artful
Undecided
Unassigned

Bug Description

Postgresql stable update

Current versions in supported releases:
 postgresql-9.3 | 9.3.20-0ubuntu0.14.04 trusty
 postgresql-9.5 | 9.5.10-0ubuntu0.16.04 xenial
 postgresql-9.6 | 9.6.6-0ubuntu0.17.10 artful
 postgresql-10 | 10.1-3build1 bionic

Special cases:
- Bionic will be synced from Debian which usually releases fast.
  So no Bionic upload.
- We wanted to add force-badtests this time for all the regular lxd based issues

Last related stable updates: 9.3.21, 9.5.11, 9.6.7

So the todo is to pick:
MRE: Trusty 9.3.21 from https://borka.postgresql.org/staging/5773b8b3ca6636cab0a5433aac8574ae9404a720/postgresql-9.3.21.tar.gz
MRE: Xenial 9.5.11 from https://borka.postgresql.org/staging/5773b8b3ca6636cab0a5433aac8574ae9404a720/postgresql-9.5.11.tar.gz
Sync: Artful 9.6.7 from https://borka.postgresql.org/staging/5773b8b3ca6636cab0a5433aac8574ae9404a720/postgresql-9.6.7.tar.gz

Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
New - this bug

Note: opening private as it is not yet announced

TODO: add New link to changelog (like old https://www.postgresql.org/about/news/1733)
TODO: add upgrade highlights to changelog (if any)
Announce will be next week.

CVE References

no longer affects: postgresql-9.3 (Ubuntu Xenial)
no longer affects: postgresql-9.3 (Ubuntu Artful)
no longer affects: postgresql-9.5 (Ubuntu Trusty)
no longer affects: postgresql-9.5 (Ubuntu Artful)
no longer affects: postgresql-9.6 (Ubuntu Trusty)
no longer affects: postgresql-9.6 (Ubuntu Xenial)
Changed in postgresql-9.6 (Ubuntu Artful):
status: New → Triaged
Changed in postgresql-9.6 (Ubuntu):
status: New → Won't Fix
Changed in postgresql-9.5 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.6 (Ubuntu):
status: Won't Fix → Invalid
Changed in postgresql-9.3 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → Triaged
Changed in postgresql-9.5 (Ubuntu Xenial):
status: New → Triaged
Changed in postgresql-10 (Ubuntu):
status: New → Invalid

Uploads prepared and building in ppas atm;
For tests pre-upload (while waiting for the official release)

Trusty: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3128
Xenial: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3129
Artful: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3130

Bug 1748161 is about the improvement of the britney hints to not have the SRU Team force it all the time.

All autopkgtests good on the ppa except those that will be addressed in bug 1748161 anyway.

Also the official release notes are up.
With that I completed the changelog entries and I'm ready to upload.

Last time this contained CVEs it went through security - I'll check how we handle this time.

Opening up bug as news are public now.

information type: Private → Public
Marc Deslauriers (mdeslaur) wrote :

These fix CVE-2018-1053.

This contains a CVE, so the security Team will push it through -security.
Good that we had all pre-tests already.

P.S. autopkgtests can be seen on bileto https://bileto.ubuntu.com/#/ticket/3128 - 3130

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.3 - 9.3.21-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.21-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream release (LP: #1747676)
    - Ensure that all temporary files made by pg_upgrade are non-world-readable
      (CVE-2018-1053)
    - Details about other changes at full changelog:
      https://www.postgresql.org/docs/9.3/static/release-9-3-21.html

 -- Christian Ehrhardt <email address hidden> Tue, 06 Feb 2018 15:19:51 +0100

Changed in postgresql-9.3 (Ubuntu Trusty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.5 - 9.5.11-0ubuntu0.16.04

---------------
postgresql-9.5 (9.5.11-0ubuntu0.16.04) xenial-security; urgency=medium

  * New upstream release (LP: #1747676)
    - Ensure that all temporary files made by pg_upgrade are non-world-readable
      (CVE-2018-1053)
    - Details about other changes at full changelog:
      https://www.postgresql.org/docs/9.5/static/release-9-5-11.html

 -- Christian Ehrhardt <email address hidden> Tue, 06 Feb 2018 15:20:02 +0100

Changed in postgresql-9.5 (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.6 - 9.6.7-0ubuntu0.17.10

---------------
postgresql-9.6 (9.6.7-0ubuntu0.17.10) artful-security; urgency=medium

  * New upstream release (LP: #1747676)
    - Ensure that all temporary files made by pg_upgrade are non-world-readable
      (CVE-2018-1053)
    - Change the behavior of contrib/cube's cube ~> int operator to make it
      compatible with KNN search.
      The meaning of the second argument (the dimension selector) has been
      changed to make it predictable which value is selected even when
      dealing with cubes of varying dimensionalities.
      This is an incompatible change, but since the point of the operator
      was to be used in KNN searches, it seems rather useless as-is.
      After installing this update, any expression indexes or materialized
      views using this operator will need to be reindexed/refreshed.
    - Details about other changes at full changelog:
      https://www.postgresql.org/docs/9.6/static/release-9-6-7.html

 -- Christian Ehrhardt <email address hidden> Tue, 06 Feb 2018 15:20:19 +0100

Changed in postgresql-9.6 (Ubuntu Artful):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers