New upstream microreleases 9.5.18, 10.9 and 11.5

Bug #1833211 reported by Christian Ehrhardt  on 2019-06-18
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-10 (Ubuntu)
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
postgresql-11 (Ubuntu)
Status tracked in Eoan
Disco
Undecided
Unassigned
Eoan
Undecided
Unassigned
postgresql-9.5 (Ubuntu)
Xenial
Undecided
Unassigned

Bug Description

[Impact]

 * MRE for latest stable fixes of Postgres.

[Test Case]

 * The Postgres MREs traditionally rely on the large pack of autopkgtests
   to run for verification. In a PPA those are all already pre-checked to
   be good for this upload.

[Regression Potential]

 * Upstreams tests are usually great and also in the Archive there are
   plenty of autopkgtests that in the past catched issues before released.
   But never the less

[Other Info]

 * This is a reoccurring MRE, see below and all the references

---

Current versions in supported releases:
 postgresql-9.5 | 9.5.17-0ubuntu0.16.04 xenial
 postgresql-10 | 10.8-0ubuntu0.18.04.1 bionic
 postgresql-10 | 10.8-0ubuntu0.18.10.1 cosmic
 postgresql-11 | 11.3-0ubuntu0.19.04.1 disco
 postgresql-11 | 11.3-1 eoan

Special cases:
- Eoan will as usual be synced from Debian

Last relevant related stable updates: 9.5.18, 10.9, 11.4

This is out of the usual cycle for CVE: CVE-2019-10164

Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676
- pad.lv/1752271
- pad.lv/1786938
- pad.lv/1815665
- pad.lv/1828012

As usual we test and prep from the PPA and then push through SRU/Security as applicable.

Regression potential:
- usually this works smoothly except a few test hickups that need to be
  clarified to be sure. Pre-checks will catch those to be discussed (as last time)

Note: opening private as it is not yet announced
Public announce will on this Thursday.

Related branches

CVE References

Changed in postgresql-9.5 (Ubuntu Xenial):
status: New → Triaged
Changed in postgresql-11 (Ubuntu Eoan):
status: New → Triaged
Changed in postgresql-11 (Ubuntu Disco):
status: New → Triaged
Changed in postgresql-10 (Ubuntu Cosmic):
status: New → Triaged
Changed in postgresql-10 (Ubuntu Bionic):
status: New → Triaged
description: updated

MPs added (references under the description)

Releases will go through security for >=Bionic.
Xenial is not CVE affected, so it will use the "normal" SRU path.

Test results:
Disco:
 - flaky restarted
   - asterisk, dbconfig-common
 - known forced badtest
   - diaspora-installer, pglogical

Cosmic:
 - flaky restarted
   - amcheck, libpqxx
 - known forced badtest
   - diaspora-installer, pglogical

Bionic:
 - flaky restarted
   - plr
 - known forced badtest
   - diaspora-installer, pglogical

Xenial:
 - flaky restarted
   - libreoffice
 - known forced badtest
   - bareos, gearmand, orafce, pgpool2, pgfincore, postgresql-multicorn, postgresql-plproxy

That overall looks rather good already, most flaky test that I've seen were on arm for apt timeouts on ftpmaster.internal:http.
That is not due to postgres, lets wait for the reruns if they are any better.

And ibdbd-pg-perl on Disco, but the same unrelated apt ftp error.

Resolved on retry:
Bionic:
   - plr
Disco:
   - asterisk, libdbd-pg-perl

Still waiting on:

Disco:
   - dbconfig-common

Cosmic:
   - amcheck, libpqxx

Xenial:
   - libreoffice

More tests completed

Solved on Retry:

Cosmic:
   - amcheck, libpqxx

Disco:
   - dbconfig-common

And finally Xenial libreoffice @i386 is actually a fore-badtest already which matches http://autopkgtest.ubuntu.com/packages/l/libreoffice/xenial/i386

With the above all tests are green OR known force-badtests.
This should be ready for an upload unless Upstream changes the release before it becomes official.

Changed in postgresql-10 (Ubuntu Bionic):
status: Triaged → Fix Committed

The release will be done by security for >=Bionic by mdeslaur based on the PPA content, setting those to "Fix committed".

Xenial isn't affected by the CVE, hence that will use the normal SRU path (stays on Triaged).
We will upload to -unapproved when released by upstream.

Eoan will sync from Debian once available.

Changed in postgresql-10 (Ubuntu Cosmic):
status: Triaged → Fix Committed
Changed in postgresql-11 (Ubuntu Disco):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-11 - 11.4-0ubuntu0.19.04.1

---------------
postgresql-11 (11.4-0ubuntu0.19.04.1) disco-security; urgency=medium

   * New upstream release (LP: #1833211)
    - Fix buffer-overflow hazards in SCRAM verifier parsing and libpq
      CVE-2019-10164
    - Fix assorted errors in run-time partition pruning logic
    - Fix possible crash while trying to copy trigger definitions to a
      new partition
    - Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a
      partial exclusion constraint
    - Fix failure of COMMENT command for comments on domain constraints
    - Prevent possible memory clobber when there are duplicate columns in a
      hash aggregate's hash key list
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/11/static/release-11-4.html

 -- Christian Ehrhardt <email address hidden> Tue, 18 Jun 2019 13:11:38 +0200

Changed in postgresql-11 (Ubuntu Disco):
status: Fix Committed → Fix Released

B/C got published as well:
https://launchpad.net/ubuntu/+source/postgresql-10/10.9-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.9-0ubuntu0.18.04.1

Setting those releases to Fix Released as well.

As discussed before Xenial will follow the non-security SRU path.
Since this is now public I'm opened up the bug visibility and uploaded to xenial -unapproved.

information type: Private Security → Public Security
description: updated

Hello Christian, or anyone else affected,

Accepted postgresql-9.5 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.18-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in postgresql-9.5 (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-xenial

All autopkgtests for the newly accepted postgresql-9.5 (9.5.18-0ubuntu0.16.04.1) for xenial have finished running.
There have been regressions in tests triggered by the package. Please visit the sru report page and investigate the failures.

https://people.canonical.com/~ubuntu-archive/pending-sru.html#xenial

Thank you Robie and Lukasz for the SRU work on this.

Test fails:
- libreoffice: is a known flaky test that I restarted
- bareos: that should be a known badtest, checking ...
  Yes, the problem is that autopkgtest itself broke and not the test.
  Restarted, which should fail (as expected) but then be properly ignored.

Both tests resolved as expected.
As usual since the days of pitti the set of autopkgtests being passed is considered the verification for this.
Marking as verified.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.5 - 9.5.18-0ubuntu0.16.04.1

---------------
postgresql-9.5 (9.5.18-0ubuntu0.16.04.1) xenial; urgency=medium

   * New upstream release (LP: #1833211)
    - Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has
      a partial exclusion constraint
    - Fix failure of COMMENT command for comments on domain constraints
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/9.5/static/release-9-5-18.html

 -- Christian Ehrhardt <email address hidden> Tue, 18 Jun 2019 13:11:33 +0200

Changed in postgresql-9.5 (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for postgresql-9.5 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers