New upstream microreleases 9.1.9, 8.4.17

Bug #1163184 reported by Martin Pitt on 2013-04-02
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
postgresql-8.3 (Ubuntu)
Medium
Unassigned
Raring
Medium
Unassigned
postgresql-8.4 (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Unassigned
Precise
Undecided
Unassigned
postgresql-9.1 (Ubuntu)
Critical
Martin Pitt
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Critical
Martin Pitt

Bug Description

PostgreSQL will announce new upstream microreleases in two days which include three security issues for 9.1 and one for 8.4. I'll update the description with the official annoucement once it goes public. One of the 9.1 ones is a remote data corruption vulnerability, so we need to take special care to not prematurely leak this, as well as push out the updates in timely manner.

Coordinated release time: Thursday, 2013-04-04 15:00 UTC

Martin Pitt (pitti) wrote :

I cannot add a hardy task to 8.3, so I'll misuse the raring task for the 8.3/hardy update.

no longer affects: postgresql-9.1 (Ubuntu Hardy)
no longer affects: postgresql-9.1 (Ubuntu Lucid)
Changed in postgresql-8.3 (Ubuntu Raring):
status: New → Invalid
no longer affects: postgresql-8.3 (Ubuntu Oneiric)
no longer affects: postgresql-8.3 (Ubuntu Precise)
no longer affects: postgresql-8.3 (Ubuntu Quantal)
no longer affects: postgresql-8.4 (Ubuntu Hardy)
no longer affects: postgresql-8.4 (Ubuntu Oneiric)
no longer affects: postgresql-8.4 (Ubuntu Quantal)
no longer affects: postgresql-8.4 (Ubuntu Raring)
Changed in postgresql-8.3 (Ubuntu Raring):
importance: Undecided → High
status: Invalid → In Progress
Martin Pitt (pitti) wrote :

I will sync -9.1 into raring from Debian unstable.

Changed in postgresql-9.1 (Ubuntu Raring):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Critical
status: New → In Progress
Martin Pitt (pitti) on 2013-04-03
description: updated
Martin Pitt (pitti) wrote :

Vulnerability overview:

     - Fix insecure parsing of server command-line switches.
       A connection request containing a database name that begins with
       "-" could be crafted to damage or destroy files within the server's
       data directory, even if the request is eventually rejected.
       [CVE-2013-1899]

       Critical, affects 9.1 only.

     - Reset OpenSSL randomness state in each postmaster child process.
       This avoids a scenario wherein random numbers generated by
       "contrib/pgcrypto" functions might be relatively easy for another
       database user to guess. The risk is only significant when the
       postmaster is configured with ssl = on but most connections don't
       use SSL encryption. [CVE-2013-1900]

       Moderate, affects all versions

     - Make REPLICATION privilege checks test current user not
       authenticated user.
       An unprivileged database user could exploit this mistake to call
       pg_start_backup() or pg_stop_backup(), thus possibly interfering
       with creation of routine backups. [CVE-2013-1901]

       Moderate, affects 9.1 only

Changed in postgresql-8.3 (Ubuntu Raring):
importance: High → Medium
Changed in postgresql-8.4 (Ubuntu):
importance: Undecided → Medium
importance: Medium → Undecided
status: New → Invalid
Changed in postgresql-8.4 (Ubuntu Lucid):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-8.4 - 8.4.17-0ubuntu10.04

---------------
postgresql-8.4 (8.4.17-0ubuntu10.04) lucid-security; urgency=low

  * New upstream security/bug fix release: (LP: #1163184)
    - Reset OpenSSL randomness state in each postmaster child process.
      This avoids a scenario wherein random numbers generated by
      "contrib/pgcrypto" functions might be relatively easy for another
      database user to guess. The risk is only significant when the
      postmaster is configured with ssl = on but most connections don't
      use SSL encryption. [CVE-2013-1900]
    - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
      not appropriate to do so.
      The core geometric types perform comparisons using "fuzzy"
      equality, but gist_box_same must do exact comparisons, else GiST
      indexes using it might become inconsistent. After installing this
      update, users should "REINDEX" any GiST indexes on box, polygon,
      circle, or point columns, since all of these use gist_box_same.
    - Fix erroneous range-union and penalty logic in GiST indexes that
      use "contrib/btree_gist" for variable-width data types, that is
      text, bytea, bit, and numeric columns.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      useless index bloat. Users are advised to "REINDEX" such indexes
      after installing this update.
    - Fix bugs in GiST page splitting code for multi-column indexes.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      indexes that are unnecessarily inefficient to search. Users are
      advised to "REINDEX" multi-column GiST indexes after installing
      this update.
    - See HISTORY/changelog.gz for the other bug fixes.
 -- Martin Pitt <email address hidden> Tue, 02 Apr 2013 12:31:54 +0200

Changed in postgresql-8.4 (Ubuntu Lucid):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.9-0ubuntu11.10

---------------
postgresql-9.1 (9.1.9-0ubuntu11.10) oneiric-security; urgency=low

  * New upstream security/bug fix release: (LP: #1163184)
    - Fix insecure parsing of server command-line switches.
      A connection request containing a database name that begins with
      "-" could be crafted to damage or destroy files within the server's
      data directory, even if the request is eventually rejected.
      [CVE-2013-1899]
    - Reset OpenSSL randomness state in each postmaster child process.
      This avoids a scenario wherein random numbers generated by
      "contrib/pgcrypto" functions might be relatively easy for another
      database user to guess. The risk is only significant when the
      postmaster is configured with ssl = on but most connections don't
      use SSL encryption. [CVE-2013-1900]
    - Make REPLICATION privilege checks test current user not
      authenticated user.
      An unprivileged database user could exploit this mistake to call
      pg_start_backup() or pg_stop_backup(), thus possibly interfering
      with creation of routine backups. [CVE-2013-1901]
    - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
      not appropriate to do so.
      The core geometric types perform comparisons using "fuzzy"
      equality, but gist_box_same must do exact comparisons, else GiST
      indexes using it might become inconsistent. After installing this
      update, users should "REINDEX" any GiST indexes on box, polygon,
      circle, or point columns, since all of these use gist_box_same.
    - Fix erroneous range-union and penalty logic in GiST indexes that
      use "contrib/btree_gist" for variable-width data types, that is
      text, bytea, bit, and numeric columns.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      useless index bloat. Users are advised to "REINDEX" such indexes
      after installing this update.
    - Fix bugs in GiST page splitting code for multi-column indexes.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      indexes that are unnecessarily inefficient to search. Users are
      advised to "REINDEX" multi-column GiST indexes after installing
      this update.
    - See HISTORY/changelog.gz for details about the other bug fixes.
 -- Martin Pitt <email address hidden> Tue, 02 Apr 2013 12:24:32 +0200

Changed in postgresql-9.1 (Ubuntu Oneiric):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.9-0ubuntu12.04

---------------
postgresql-9.1 (9.1.9-0ubuntu12.04) precise-security; urgency=low

  * New upstream security/bug fix release: (LP: #1163184)
    - Fix insecure parsing of server command-line switches.
      A connection request containing a database name that begins with
      "-" could be crafted to damage or destroy files within the server's
      data directory, even if the request is eventually rejected.
      [CVE-2013-1899]
    - Reset OpenSSL randomness state in each postmaster child process.
      This avoids a scenario wherein random numbers generated by
      "contrib/pgcrypto" functions might be relatively easy for another
      database user to guess. The risk is only significant when the
      postmaster is configured with ssl = on but most connections don't
      use SSL encryption. [CVE-2013-1900]
    - Make REPLICATION privilege checks test current user not
      authenticated user.
      An unprivileged database user could exploit this mistake to call
      pg_start_backup() or pg_stop_backup(), thus possibly interfering
      with creation of routine backups. [CVE-2013-1901]
    - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
      not appropriate to do so.
      The core geometric types perform comparisons using "fuzzy"
      equality, but gist_box_same must do exact comparisons, else GiST
      indexes using it might become inconsistent. After installing this
      update, users should "REINDEX" any GiST indexes on box, polygon,
      circle, or point columns, since all of these use gist_box_same.
    - Fix erroneous range-union and penalty logic in GiST indexes that
      use "contrib/btree_gist" for variable-width data types, that is
      text, bytea, bit, and numeric columns.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      useless index bloat. Users are advised to "REINDEX" such indexes
      after installing this update.
    - Fix bugs in GiST page splitting code for multi-column indexes.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      indexes that are unnecessarily inefficient to search. Users are
      advised to "REINDEX" multi-column GiST indexes after installing
      this update.
    - See HISTORY/changelog.gz for details about the other bug fixes.
 -- Martin Pitt <email address hidden> Tue, 02 Apr 2013 11:59:41 +0200

Changed in postgresql-9.1 (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.9-0ubuntu12.10

---------------
postgresql-9.1 (9.1.9-0ubuntu12.10) quantal-security; urgency=low

  * New upstream security/bug fix release: (LP: #1163184)
    - Fix insecure parsing of server command-line switches.
      A connection request containing a database name that begins with
      "-" could be crafted to damage or destroy files within the server's
      data directory, even if the request is eventually rejected.
      [CVE-2013-1899]
    - Reset OpenSSL randomness state in each postmaster child process.
      This avoids a scenario wherein random numbers generated by
      "contrib/pgcrypto" functions might be relatively easy for another
      database user to guess. The risk is only significant when the
      postmaster is configured with ssl = on but most connections don't
      use SSL encryption. [CVE-2013-1900]
    - Make REPLICATION privilege checks test current user not
      authenticated user.
      An unprivileged database user could exploit this mistake to call
      pg_start_backup() or pg_stop_backup(), thus possibly interfering
      with creation of routine backups. [CVE-2013-1901]
    - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
      not appropriate to do so.
      The core geometric types perform comparisons using "fuzzy"
      equality, but gist_box_same must do exact comparisons, else GiST
      indexes using it might become inconsistent. After installing this
      update, users should "REINDEX" any GiST indexes on box, polygon,
      circle, or point columns, since all of these use gist_box_same.
    - Fix erroneous range-union and penalty logic in GiST indexes that
      use "contrib/btree_gist" for variable-width data types, that is
      text, bytea, bit, and numeric columns.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      useless index bloat. Users are advised to "REINDEX" such indexes
      after installing this update.
    - Fix bugs in GiST page splitting code for multi-column indexes.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      indexes that are unnecessarily inefficient to search. Users are
      advised to "REINDEX" multi-column GiST indexes after installing
      this update.
    - See HISTORY/changelog.gz for details about the other bug fixes.
 -- Martin Pitt <email address hidden> Tue, 02 Apr 2013 11:52:28 +0200

Changed in postgresql-9.1 (Ubuntu Quantal):
status: New → Fix Released
Martin Pitt (pitti) wrote :

It's public now: http://www.postgresql.org/about/news/1456/

Making bug public.

Changed in postgresql-8.3 (Ubuntu Raring):
status: In Progress → Fix Released
information type: Private Security → Public
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in postgresql-8.4 (Ubuntu Precise):
status: New → Confirmed
Niko Ehrenfeuchter (he1ix) wrote :

I don't see why the urgency is set to "low" here. The news entry on the PostgreSQL website states clearly "All users of the affected versions are strongly urged to apply the update *immediately*."
And the definition of "urgency" in the Debian policies (unofortunately I haven't been able to find something corresponding on ubuntu.com) is rather clear as well: http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Urgency

Martin Pitt (pitti) wrote :

Niko, the urgency field in changelogs is not being used in Ubuntu. The debian uploads do use "high".

Changed in postgresql-9.1 (Ubuntu Raring):
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

postgresql-8.4 (8.4.17-0ubuntu10.04) lucid-security; urgency=low

  * New upstream security/bug fix release: (LP: #1163184)
    - Reset OpenSSL randomness state in each postmaster child process.
      This avoids a scenario wherein random numbers generated by
      "contrib/pgcrypto" functions might be relatively easy for another
      database user to guess. The risk is only significant when the
      postmaster is configured with ssl = on but most connections don't
      use SSL encryption. [CVE-2013-1900]
    - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
      not appropriate to do so.
      The core geometric types perform comparisons using "fuzzy"
      equality, but gist_box_same must do exact comparisons, else GiST
      indexes using it might become inconsistent. After installing this
      update, users should "REINDEX" any GiST indexes on box, polygon,
      circle, or point columns, since all of these use gist_box_same.
    - Fix erroneous range-union and penalty logic in GiST indexes that
      use "contrib/btree_gist" for variable-width data types, that is
      text, bytea, bit, and numeric columns.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      useless index bloat. Users are advised to "REINDEX" such indexes
      after installing this update.
    - Fix bugs in GiST page splitting code for multi-column indexes.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      indexes that are unnecessarily inefficient to search. Users are
      advised to "REINDEX" multi-column GiST indexes after installing
      this update.
    - See HISTORY/changelog.gz for the other bug fixes.
 -- Martin Pitt <email address hidden> Tue, 02 Apr 2013 12:31:54 +0200

Changed in postgresql-8.4 (Ubuntu Precise):
status: Confirmed → Fix Released
Niko Ehrenfeuchter (he1ix) wrote :

Alright, thanks for the clarification Martin. I'm still used to my old Debian world ;)
Thanks for having the updated packages ready by now. How long do you expect to take them until they hit the repositories?

Niko Ehrenfeuchter [2013-04-04 14:33 -0000]:
> How long do you expect to take them until they hit the repositories?

About an hour ago :-) (except for raring, which will still take half
an hour or so to finish building and publishing)

Alan Rosenthal (flaps) wrote :

Is there going to be an 8.4.17-0ubuntu12.04? Thanks.

Marc Deslauriers (mdeslaur) wrote :

Alan,

Yes, it is currently building and will be released shortly.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.9-1ubuntu1

---------------
postgresql-9.1 (9.1.9-1ubuntu1) raring; urgency=low

  * Merge with Debian unstable. (LP: #1163184) Remaining Ubuntu changes:
    - debian/rules: Configure for the Tcl/Tk 8.5 multiarch installation.

postgresql-9.1 (9.1.9-1) unstable; urgency=high

  * Urgency high because of critical remote data destruction vulnerability.
  * New upstream security/bug fix release:
    - Fix insecure parsing of server command-line switches.
      A connection request containing a database name that begins with
      "-" could be crafted to damage or destroy files within the server's
      data directory, even if the request is eventually rejected.
      [CVE-2013-1899] (Closes: #704479)
    - Reset OpenSSL randomness state in each postmaster child process.
      This avoids a scenario wherein random numbers generated by
      "contrib/pgcrypto" functions might be relatively easy for another
      database user to guess. The risk is only significant when the
      postmaster is configured with ssl = on but most connections don't
      use SSL encryption. [CVE-2013-1900]
    - Make REPLICATION privilege checks test current user not
      authenticated user.
      An unprivileged database user could exploit this mistake to call
      pg_start_backup() or pg_stop_backup(), thus possibly interfering
      with creation of routine backups. [CVE-2013-1901]
    - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
      not appropriate to do so.
      The core geometric types perform comparisons using "fuzzy"
      equality, but gist_box_same must do exact comparisons, else GiST
      indexes using it might become inconsistent. After installing this
      update, users should "REINDEX" any GiST indexes on box, polygon,
      circle, or point columns, since all of these use gist_box_same.
    - Fix erroneous range-union and penalty logic in GiST indexes that
      use "contrib/btree_gist" for variable-width data types, that is
      text, bytea, bit, and numeric columns.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      useless index bloat. Users are advised to "REINDEX" such indexes
      after installing this update.
    - Fix bugs in GiST page splitting code for multi-column indexes.
      These errors could result in inconsistent indexes in which some
      keys that are present would not be found by searches, and also in
      indexes that are unnecessarily inefficient to search. Users are
      advised to "REINDEX" multi-column GiST indexes after installing
      this update.
    - See HISTORY/changelog.gz for details about the other bug fixes.
  * Bump Standards-Version to 3.9.4 (no changes necessary).
 -- Martin Pitt <email address hidden> Thu, 04 Apr 2013 16:01:02 +0200

Changed in postgresql-9.1 (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers