Bug 157366
Summary: | CAN-2005-1409, CAN-2005-1410 Multiple postgresql issues | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Marc Deslauriers <marc.deslauriers> |
Component: | postgresql | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | pekkas, tseaver |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | LEGACY, rh90, 1, 2 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-02-28 00:53:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marc Deslauriers
2005-05-10 22:39:34 UTC
*** Bug 157367 has been marked as a duplicate of this bug. *** *** Bug 157368 has been marked as a duplicate of this bug. *** -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated postgresql packages to QA for rh9, fc1 and fc2. rh73 and fc3 are not affected. a7b65953b98935e35b88f299744225a9b2aea0f9 9/postgresql-7.3.10-0.90.1.legacy.src.rpm 0adca4edf71b2380fff90afeaeea08e5349ae31c 1/postgresql-7.3.10-1.1.legacy.src.rpm f7e2dff75d37e96ed559219db5c02b548e06a9e4 2/postgresql-7.4.8-1.FC2.1.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/postgresql-7.3.10-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/postgresql-7.3.10-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/postgresql-7.4.8-1.FC2.1.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD7sEaLMAs/0C4zNoRAlPaAKCM4S6oRKvpfSFVH6ztL6klKtDO0gCZAcS9 jzKj3XcZ3lzd2F+SDnDFHU0= =tCs5 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh - source integrity OK - spec file changes minimal (either to previous, or compared to RHEL) comments: - FC1 and FC2 were updated to match RHEL3 and RHEL4, respectively, so it's OK. Was there a specific reason not to update RHL9 to match RHEL3? - you forgot to add "legacy" in the FC2 package name In any case, the first issue is not blocking and the second can be fixed at build time. +PUBLISH RHL9, FC1, FC2 a7b65953b98935e35b88f299744225a9b2aea0f9 postgresql-7.3.10-0.90.1.legacy.src.rpm 0adca4edf71b2380fff90afeaeea08e5349ae31c postgresql-7.3.10-1.1.legacy.src.rpm f7e2dff75d37e96ed559219db5c02b548e06a9e4 postgresql-7.4.8-1.FC2.1.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD743yGHbTkzxSL7QRAsyNAKC4bi+tGucS2JZZxO9FzXdP+qo15QCgmDAX G395Mm2MTz3qgwnVhzxHjmo= =87xG -----END PGP SIGNATURE----- Thanks for the QA. The RHL9 postgres package is substantially different from the RHEL and FC packages. It uses a different JDBC driver, among other things. I'm afraid changing it to the RHEL package will break things. Packages were pushed to updates-testing New policy: automatic accept after two weeks if no negative feedback. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Re: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366 System: Fedora Core 1 Packages tested: - postgresql - postgresql-devel - postgresql-libs - postgresql-server 1. Verify the GPG signature and the SHA1 checksum of the package. $ cd /var/cache/yum/updates-testing/packages $ sha1sum *.rpm de59e42459e24cd8846fbd6d765bc892d621a0dc \ postgresql-7.3.10-1.1.legacy.i386.rpm 39a6163dffc299ba088f8f71c0393fca08648ae9 \ postgresql-devel-7.3.10-1.1.legacy.i386.rpm 421fc09afacbeb0e6773a8c2c1dd2ebb45406fd9 \ postgresql-libs-7.3.10-1.1.legacy.i386.rpm 71c2abb0a89a19fa88eaa3a22048062ea4d938f3 \ postgresql-server-7.3.10-1.1.legacy.i386.rpm These checksums match those published in the notification sent to the legacy list. $ rpm --checksig postgresql-*.rpm postgresql-7.3.10-1.1.legacy.i386.rpm: \ (sha1) dsa sha1 md5 gpg OK postgresql-devel-7.3.10-1.1.legacy.i386.rpm: \ (sha1) dsa sha1 md5 gpg OK postgresql-libs-7.3.10-1.1.legacy.i386.rpm: \ (sha1) dsa sha1 md5 gpg OK postgresql-server-7.3.10-1.1.legacy.i386.rpm: \ (sha1) dsa sha1 md5 gpg OK 2. Could you install or update the package without problems? The packages listed installed cleanly via yum from updates-testing. 3. Could you use the package, as appropriate for the package, without problems? Yes. The timesheet application I use on this host, which is backed against postgresql, continued to work after the update. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD8qqD+gerLs4ltQ4RAgDDAKDSbzTYU5rpSX4+SqC2Br+5wFoziwCfQq9Q /73ZWLhZGfAgK1xZ9oeM6T8= =qC5V -----END PGP SIGNATURE----- Great! Thanks for the test! Thanks, Tres, for tesing! :) Sigh, this just appeared today: CVE-2006-0553. Do we respin now or wait until later (e.g., after RHEL has released an update)? The writeup[1] says: PostgreSQL minor version 8.1.3 has been released, containing a patch for a serious security issue present in the 8.1 branch. All users of 8.1 are urged to upgrade at the earliest opportunity. Minor versions 8.0.7, 7.4.12, and 7.3.14 are being released at the same time. These contain only minor bug fixes to the 8.0, 7.4 and 7.3 versions and can be upgraded on a more planned schedule, unless of course you are encountering one of the bugs described. The security issue in 8.1.x allows an authenticated database user to escalate his ROLE privileges by exploiting knowledge of the backend protocol. While there are no known exploits in the wild for this, users are urged not to wait until they encounter one. 8.1.3 also contains a number of other bug fixes, most of them for very specific (rare) database configurations and schema issues, but including a number of crash fixes. Notable also is a fix to the TSearch2 GiST index generation code which will significantly speed up creation of TSearch2 indexes. See the release notes for more detail. I would say that we can defer picking up those fixes, as no legacy release is using 8.1.x. [1] http://archives.postgresql.org/pgsql-announce/2006-02/msg00008.php Timeout over. Packages were released. |