New upstream microreleases 9.5.19 10.10 and 11.5
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| postgresql-10 (Ubuntu) | ||||||
| | Bionic |
Undecided
|
Steve Beattie | |||
| | postgresql-11 (Ubuntu) |
Undecided
|
Unassigned | |||
| | Disco |
Undecided
|
Steve Beattie | |||
| | Eoan |
Undecided
|
Unassigned | |||
| postgresql-9.5 (Ubuntu) | ||||||
| | Xenial |
Undecided
|
Steve Beattie | |||
Bug Description
[Impact]
* MRE for latest stable fixes of Postgres.
[Test Case]
* The Postgres MREs traditionally rely on the large pack of autopkgtests
to run for verification. In a PPA those are all already pre-checked to
be good for this upload.
[Regression Potential]
* Upstreams tests are usually great and also in the Archive there are
plenty of autopkgtests that in the past catched issues before released.
But never the less
[Other Info]
* This is a reoccurring MRE, see below and all the references
---
Current versions in supported releases:
postgresql-9.5 | 9.5.18-
postgresql-10 | 10.9-0ubuntu0.
postgresql-10 | 10.9-0ubuntu0.
postgresql-11 | 11.4-0ubuntu0.
postgresql-11 | 11.4-1.1~ubuntu1 eoan
Special cases:
- Eoan will as usual be synced from Debian. But this time since we have
a slight test delta might some action to do so.
Last relevant related stable updates: 9.5.18, 10.9, 11.4
This is out of the usual cycle for CVE: CVE-2019-10164
Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676
- pad.lv/1752271
- pad.lv/1786938
- pad.lv/1815665
- pad.lv/1828012
- pad.lv/1833211
As usual we test and prep from the PPA and then push through SRU/Security as applicable.
Regression potential:
- usually this works smoothly except a few test hickups (flaky) that need to be
clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)
Note: opening private as it is not yet announced
Public announce will on this Thursday.
CVE References
| Changed in postgresql-11 (Ubuntu): | |
| status: | New → Invalid |
| Changed in postgresql-10 (Ubuntu Bionic): | |
| status: | New → Triaged |
| Changed in postgresql-9.5 (Ubuntu Xenial): | |
| status: | New → Triaged |
| Changed in postgresql-11 (Ubuntu Eoan): | |
| status: | Invalid → Triaged |
| Changed in postgresql-11 (Ubuntu Disco): | |
| status: | New → Triaged |
| Christian Ehrhardt (paelzer) wrote : | #1 |
| Christian Ehrhardt (paelzer) wrote : | #2 |
First round of test results is in.
Xenial:
- known forced badtest
- bareos, gearmand, orafce, pgpool2, pgfincore, postgresql-
All others in Xenial are good.
The other releases have even more tests and some still run. But so far only flaky arm (archive access with apt timeout) have shown up and known badtests on those as well.
I'll give them some time to complete for Bionic/Disco ...
| Christian Ehrhardt (paelzer) wrote : | #3 |
Merge Proposals:
X: https:/
B: https:/
D: https:/
| Christian Ehrhardt (paelzer) wrote : | #4 |
Bionic:
- known forced badtest
- diaspora-installer, pglogical
So Bionic is good as well.
Disco
- known forced badtest
- diaspora-installer, pglogical
Disco Mostly good as well, one flaky test left "resource-agents".
Some apt issue on Linux headers which actually is no issue, I have restarted it but it LGTM and not a real issue.
=> I think we are good to go once officially released
| Steve Beattie (sbeattie) wrote : | #5 |
It's not exactly clear to someone without a lot of postgresql knowledge from the bits in the release notes what the issue is exactly, but it seems like the one vulnerability addressed allows users with access to the database to allow themselves additional privileges within the database, so seem worthy of going to the security pockets.
Thanks!
| Christian Ehrhardt (paelzer) wrote : | #6 |
Actually that is a bad test as well:
resource-
So all pre-tests are complete, waiting for the official release to happen and to be identical so we know if we have to reroll (or not).
| Christian Ehrhardt (paelzer) wrote : | #7 |
This got released and the tarballs macth what we have prepared:
f639af0f8c3f1e4
524cf68de6f7840
ebdacd12f2db1fb
Marking the bug public now that the release is out and pinging security to push it as agreed with sbeattie.
| information type: | Private Security → Public Security |
| Changed in postgresql-11 (Ubuntu Disco): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in postgresql-9.5 (Ubuntu Xenial): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in postgresql-10 (Ubuntu Bionic): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package postgresql-9.5 - 9.5.19-
---------------
postgresql-9.5 (9.5.19-
* SECURITY UPDATE: New upstream release (LP: #1839058)
- Require schema qualification to cast to a temporary type when using
functional cast syntax (CVE-2019-10208)
- Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple
columns' types in one command. This fixes a regression introduced in the
most recent minor releases
- Details about these and many further changes can be found at:
https:/
-- Christian Ehrhardt <email address hidden> Tue, 06 Aug 2019 08:54:29 +0200
| Changed in postgresql-9.5 (Ubuntu Xenial): | |
| status: | Triaged → Fix Released |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package postgresql-11 - 11.5-0ubuntu0.
---------------
postgresql-11 (11.5-0ubuntu0.
* SECURITY UPDATE: New upstream release (LP: #1839058)
- Require schema qualification to cast to a temporary type when using
functional cast syntax (CVE-2019-10208)
- Fix execution of hashed subplans that require cross-type comparison
- Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple
columns' types in one command. This fixes a regression introduced in the
most recent minor releases
- Details about these and many further changes can be found at:
https:/
-- Christian Ehrhardt <email address hidden> Tue, 06 Aug 2019 08:56:03 +0200
| Changed in postgresql-11 (Ubuntu Disco): | |
| status: | Triaged → Fix Released |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package postgresql-10 - 10.10-0ubuntu0.
---------------
postgresql-10 (10.10-
* SECURITY UPDATE: New upstream release (LP: #1839058)
- Require schema qualification to cast to a temporary type when using
functional cast syntax (CVE-2019-10208)
- Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple
columns' types in one command. This fixes a regression introduced in the
most recent minor releases
- Details about these and many further changes can be found at:
https:/
-- Christian Ehrhardt <email address hidden> Tue, 06 Aug 2019 08:55:10 +0200
| Changed in postgresql-10 (Ubuntu Bionic): | |
| status: | Triaged → Fix Released |
Started builds for pre-tests in Bileto Tickets
X: https:/
B: https:/
D: https:/