New upstream microreleases 9.5.19 10.10 and 11.5

Bug #1839058 reported by Christian Ehrhardt  on 2019-08-06
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-10 (Ubuntu)
Bionic
Undecided
Steve Beattie
postgresql-11 (Ubuntu)
Undecided
Unassigned
Disco
Undecided
Steve Beattie
Eoan
Undecided
Unassigned
postgresql-9.5 (Ubuntu)
Xenial
Undecided
Steve Beattie

Bug Description

[Impact]

 * MRE for latest stable fixes of Postgres.

[Test Case]

 * The Postgres MREs traditionally rely on the large pack of autopkgtests
   to run for verification. In a PPA those are all already pre-checked to
   be good for this upload.

[Regression Potential]

 * Upstreams tests are usually great and also in the Archive there are
   plenty of autopkgtests that in the past catched issues before released.
   But never the less

[Other Info]

 * This is a reoccurring MRE, see below and all the references

---

Current versions in supported releases:
 postgresql-9.5 | 9.5.18-0ubuntu0.16.04 xenial
 postgresql-10 | 10.9-0ubuntu0.18.04.1 bionic
 postgresql-10 | 10.9-0ubuntu0.18.10.1 cosmic
 postgresql-11 | 11.4-0ubuntu0.19.04.1 disco
 postgresql-11 | 11.4-1.1~ubuntu1 eoan

Special cases:
- Eoan will as usual be synced from Debian. But this time since we have
  a slight test delta might some action to do so.

Last relevant related stable updates: 9.5.18, 10.9, 11.4

This is out of the usual cycle for CVE: CVE-2019-10164

Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676
- pad.lv/1752271
- pad.lv/1786938
- pad.lv/1815665
- pad.lv/1828012
- pad.lv/1833211

As usual we test and prep from the PPA and then push through SRU/Security as applicable.

Regression potential:
- usually this works smoothly except a few test hickups (flaky) that need to be
  clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)

Note: opening private as it is not yet announced
Public announce will on this Thursday.

CVE References

Changed in postgresql-11 (Ubuntu):
status: New → Invalid
Changed in postgresql-10 (Ubuntu Bionic):
status: New → Triaged
Changed in postgresql-9.5 (Ubuntu Xenial):
status: New → Triaged
Changed in postgresql-11 (Ubuntu Eoan):
status: Invalid → Triaged
Changed in postgresql-11 (Ubuntu Disco):
status: New → Triaged

First round of test results is in.

Xenial:
 - known forced badtest
   - bareos, gearmand, orafce, pgpool2, pgfincore, postgresql-multicorn, postgresql-plproxy
All others in Xenial are good.

The other releases have even more tests and some still run. But so far only flaky arm (archive access with apt timeout) have shown up and known badtests on those as well.
I'll give them some time to complete for Bionic/Disco ...

Bionic:
 - known forced badtest
   - diaspora-installer, pglogical

So Bionic is good as well.

Disco
 - known forced badtest
   - diaspora-installer, pglogical

Disco Mostly good as well, one flaky test left "resource-agents".
Some apt issue on Linux headers which actually is no issue, I have restarted it but it LGTM and not a real issue.

=> I think we are good to go once officially released

Steve Beattie (sbeattie) wrote :

It's not exactly clear to someone without a lot of postgresql knowledge from the bits in the release notes what the issue is exactly, but it seems like the one vulnerability addressed allows users with access to the database to allow themselves additional privileges within the database, so seem worthy of going to the security pockets.

Thanks!

Actually that is a bad test as well:
resource-agents/1:4.2.0-1ubuntu1.1/armhf

So all pre-tests are complete, waiting for the official release to happen and to be identical so we know if we have to reroll (or not).

This got released and the tarballs macth what we have prepared:
f639af0f8c3f1e470e41c8108cbdaea5836b2738cadd422135aa2a0febc8ae78 postgresql-11.5.tar.gz
524cf68de6f7840ddff312e7ed07655c064cb998a79c40a53bb2809aa3067adb postgresql-10.10.tar.gz
ebdacd12f2db1fb29ce131ae00b3245ea2160111db89b10a06bda1dc8f74a835 postgresql-9.5.19.tar.gz

Marking the bug public now that the release is out and pinging security to push it as agreed with sbeattie.

information type: Private Security → Public Security
Steve Beattie (sbeattie) on 2019-08-08
Changed in postgresql-11 (Ubuntu Disco):
assignee: nobody → Steve Beattie (sbeattie)
Changed in postgresql-9.5 (Ubuntu Xenial):
assignee: nobody → Steve Beattie (sbeattie)
Changed in postgresql-10 (Ubuntu Bionic):
assignee: nobody → Steve Beattie (sbeattie)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.5 - 9.5.19-0ubuntu0.16.04.1

---------------
postgresql-9.5 (9.5.19-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: New upstream release (LP: #1839058)
    - Require schema qualification to cast to a temporary type when using
      functional cast syntax (CVE-2019-10208)
    - Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple
      columns' types in one command. This fixes a regression introduced in the
      most recent minor releases
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/9.5/static/release-9-5-19.html

 -- Christian Ehrhardt <email address hidden> Tue, 06 Aug 2019 08:54:29 +0200

Changed in postgresql-9.5 (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-11 - 11.5-0ubuntu0.19.04.1

---------------
postgresql-11 (11.5-0ubuntu0.19.04.1) disco-security; urgency=medium

  * SECURITY UPDATE: New upstream release (LP: #1839058)
    - Require schema qualification to cast to a temporary type when using
      functional cast syntax (CVE-2019-10208)
    - Fix execution of hashed subplans that require cross-type comparison
    - Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple
      columns' types in one command. This fixes a regression introduced in the
      most recent minor releases
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/11/static/release-11-5.html

 -- Christian Ehrhardt <email address hidden> Tue, 06 Aug 2019 08:56:03 +0200

Changed in postgresql-11 (Ubuntu Disco):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-10 - 10.10-0ubuntu0.18.04.1

---------------
postgresql-10 (10.10-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream release (LP: #1839058)
    - Require schema qualification to cast to a temporary type when using
      functional cast syntax (CVE-2019-10208)
    - Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple
      columns' types in one command. This fixes a regression introduced in the
      most recent minor releases
    - Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/static/release-10-10.html

 -- Christian Ehrhardt <email address hidden> Tue, 06 Aug 2019 08:55:10 +0200

Changed in postgresql-10 (Ubuntu Bionic):
status: Triaged → Fix Released
Changed in postgresql-11 (Ubuntu):
status: Triaged → Fix Released
Changed in postgresql-11 (Ubuntu Eoan):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers