New upstream microreleases 9.5.17, 10.8 and 11.3

Bug #1828012 reported by Christian Ehrhardt  on 2019-05-07
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-10 (Ubuntu)
Bionic
Undecided
Marc Deslauriers
Cosmic
Undecided
Marc Deslauriers
postgresql-11 (Ubuntu)
Status tracked in Eoan
Disco
Undecided
Marc Deslauriers
Eoan
Undecided
Unassigned
postgresql-9.5 (Ubuntu)
Xenial
Undecided
Marc Deslauriers

Bug Description

Current versions in supported releases:
 postgresql-9.3 | 9.3.24-0ubuntu0.14.04 trusty <- no upstream updates anymore
 postgresql-9.5 | 9.5.16-0ubuntu0.16.04 xenial
 postgresql-10 | 10.7-0ubuntu0.18.04.1 bionic
 postgresql-10 | 10.7-0ubuntu0.18.10.1 cosmic
 postgresql-11 | 11.2-2 disco

Special cases:
- Eoan will be synced from Debian soon (we are on 11.2-2)

Last relevant related stable updates: 9.5.16, 10.7

Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676
- pad.lv/1752271
- pad.lv/1786938
- pad.lv/1815665

As usual we test and prep from the PPA and then push through SRU/Security as applicable.

Regression potential:
- usually this works smoothly except a few test hickups that need to be
  clarified to be sure. Pre-checks will catch those to be discussed (as last time)

Note: opening private as it is not yet announced
Public announce will on this Thursday.

Related branches

CVE References

@Security - FYI this covers:
CVE-2019-10129 (Disco)
CVE-2019-10130 (Xenial, Bionic, Cosmic, Disco)

I Checked with mdeslaur, this will be pushed through -security.
Once we have all dep8 green in bileto we can ping him to release it.

Checking test results (as far as they are completed)
Xenial
 still waiting for results

Bionic:
- pglogical (is a known badtest)
  adconrad:force-badtest pglogical/2.1.1-1
- dbconfig-common @ armhf
  failed for archive connectivity, restarted

Cosmic:
- pglogical (is a known badtest)
  adconrad:force-badtest pglogical/2.2.0-1
- citus / dovecot / gearmand @ armhf
  failed for archive connectivity, restarted

Disco:
- diaspora-installer
- libreoffice @ armhf
  flaky test :-/, restarted
- pglogical (is a known badtest)
  ubuntu-release:force-badtest pglogical/2.2.1-4
- diaspora-installer
  all arch ruby breakage when installing yard
  restarted, but probably is a bug on its own that need analysis
  http://autopkgtest.ubuntu.com/packages/diaspora-installer/disco/amd64
  indicates this might be a known issue
- slony1-2 postgresql-prioritize dovecot @armhf
  failed for archive connectivity, restarted
- postgresql-prioritize @ i386
  Openstack crashed the VM on boot, restarted
- resource-agent @armhf
  Unkown issue, restarted

The only ones that might need extra work seem diaspora-installer (generally broken?) and resource-agent (real issue or yet unknown to be flaky).
Also waiting on Xenial as mentioned.

I'll look at yard in Disco next, that might be an issue on its own.

Update on remaining issues:

Bionic:
- dbconfig-common - fixed by rerun
=> Nothing left in Bionic

Cosmic:
- citus - fixed by rerun
- dovecot - fixed by rerun
- gearmand - fixed by rerun
=> Nothing left in Cosmic

Disco:
- diaspora-installer => bug 1828194
  TL;DR - not related to postgres (so we can go on) and I have a fix inbound for the SRU Team to
  check.
- postgresql-prioritize - fixed by rerun
- slony1-2 - fixed by rerun
- resource-agent fails on ldirectord install (not postgres).
  Needs armhf analysis ...
- dovecot - still waiting (but known flaky on armhf)

First results on Xenial are in:
Known bad tests (can be ignored)
- pitti:60:force-badtest bareos/14.2.6-3
- ubuntu-sru:23:force-badtest gearmand/1.0.6-5.1build2
- pitti:12:force-badtest orafce/3.2.1-1
- pitti:14:force-badtest pgfincore/1.1.2-4
- pitti:16:force-badtest pgpool2/3.4.3-1
- pitti:17:force-badtest postgresql-multicorn/1.3.2-1
- pitti:18:force-badtest postgresql-plproxy/2.6-2

There is one real issue left with pg-partman @ armhf
All other arches are good.
The kind of error DB-internal looks more like a race than a arch dependent bug.
Restarted it for now.

Summary on open issues left to resolve:
Xenial:
- pg-partman @ armhf

Disco:
- dovecot @ armhf
- resource-agent @ armhf

Disco dovecot @ armhf resolved by retry (as expected)

Xenial
- pg-partman @ armhf resolved by retry (as expected)

MP [1] filed for resource-agent. Whatever the outcome is, it is not postrgesqls fault.

[1]: https://code.launchpad.net/~paelzer/britney/hints-ubuntu-disco-resource-agent-arm/+merge/367165

With that we are all clear on tests.
Also all MPs got acked.

I'll prep a single PPA with the minor fix (missed html doc file) in one place for security to pick from. Then we wait if the official released tarballs match the pre-tarballs.

If so this can be released.

This got released by upstream now, so I'm marking the bug public.
I checked if our pre-generated release links work and they do, so no changelog changes necessary.

Upstream lists two more CVEs at [1], but those are for other installers - no need to modify our prepared packages.

We compared the released with the pre-tarballs that we tested and they are identical [2] (thanks Andreas for checking)

Due to that I'd ask to release the builds in [3]

Assigning to Marc to consider that.

[1]: https://www.postgresql.org/about/news/1939/
[2]: https://pastebin.ubuntu.com/p/HYVBM46zX6/
[3]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3721

information type: Private Security → Public Security
Changed in postgresql-10 (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in postgresql-10 (Ubuntu Cosmic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in postgresql-11 (Ubuntu Disco):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in postgresql-9.5 (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)

Eoan already has
 postgresql-11 | 11.3-1 | eoan-proposed
So nothing that would hold us back anymore I guess?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.5 - 9.5.17-0ubuntu0.16.04.1

---------------
postgresql-9.5 (9.5.17-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * New upstream release(s) (LP: #1828012)
    - Prevent row-level security policies from being bypassed via
      selectivity estimators.
      CVE-2019-10130
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/9.5/static/release-9-5-17.html

 -- Christian Ehrhardt <email address hidden> Tue, 07 May 2019 11:20:37 +0200

Changed in postgresql-9.5 (Ubuntu Xenial):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-11 - 11.3-0ubuntu0.19.04.1

---------------
postgresql-11 (11.3-0ubuntu0.19.04.1) disco-security; urgency=medium

  * New upstream release(s) (LP: #1828012)
    - Prevent row-level security policies from being bypassed via
      selectivity estimators.
      CVE-2019-10130
    - Avoid access to already-freed memory during partition routing error
      reports
      CVE-2019-10129
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/11/static/release-11-3.html

 -- Christian Ehrhardt <email address hidden> Tue, 07 May 2019 11:20:32 +0200

Changed in postgresql-11 (Ubuntu Disco):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-10 - 10.8-0ubuntu0.18.10.1

---------------
postgresql-10 (10.8-0ubuntu0.18.10.1) cosmic-security; urgency=medium

  * New upstream release(s) (LP: #1828012)
    - Prevent row-level security policies from being bypassed via
      selectivity estimators.
      CVE-2019-10130
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/static/release-10-8.html

 -- Christian Ehrhardt <email address hidden> Tue, 07 May 2019 11:20:35 +0200

Changed in postgresql-10 (Ubuntu Cosmic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-10 - 10.8-0ubuntu0.18.04.1

---------------
postgresql-10 (10.8-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * New upstream release(s) (LP: #1828012)
    - Prevent row-level security policies from being bypassed via
      selectivity estimators.
      CVE-2019-10130
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/static/release-10-8.html

 -- Christian Ehrhardt <email address hidden> Tue, 07 May 2019 11:20:35 +0200

Changed in postgresql-10 (Ubuntu Bionic):
status: New → Fix Released
Andreas Hasenack (ahasenack) wrote :

11.3 is in eoan, marking that task as fix released.

Changed in postgresql-11 (Ubuntu Eoan):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers