Univention Bugzilla – Bug 52400
postgresql-9.6: Multiple issues (4.4)
Last modified: 2020-11-25 12:08:10 CET
According to https://www.cert-bund.de/advisoryshort/CB-K20-1121%20UPDATE%201 our actually (as of 2020-11-19) used version of PostgreSQL has several security flaws. An update (or backport) to version v9.6.19 should fix the issue.
Thanks for asking, this should happen automatically, looks like something got stuck in the process. Debian package postgresql-9.6 version 9.6.19-0+deb9u1 built since August in errata4.4-5 but there doesn't seem to be a bug yet for it which tracks the QA an release process. I'll poke around. http://xen1.knut.univention.de:8000/packages/source/postgresql-9.6/ OTOH, for the specific issues listed, Debian has not update yet for that source package: https://security-tracker.debian.org/tracker/CVE-2020-25694 https://security-tracker.debian.org/tracker/CVE-2020-25695 https://security-tracker.debian.org/tracker/CVE-2020-25696 FYI: security tagged bugs should have the CVSS field set.
FYI: Criterial for Waiting Support flag not fulfilled, see https://hutten.knut.univention.de/mediawiki/index.php/Priorisierung_in_der_Entwicklung#Waiting_Support
Its unclear why the latest postgresql-9.6 package was imported but no bug was opened. I removed the imported package and will check the next import report.
UCS 4.4-5 is out of maintenance since 2020-11-03. Does the customer have extended security support?
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ The issue was made public on November 12th. Debian stretch-lts still has 9.6.19-0+deb9u1 while the fix is in 9.6.20. To me it is not transparent when the fix will be made for stretch-lts in debian. Lets discuss the priority internally.
I've packaged 9.6.20 from the upstream git tag: ============ git clone https://git.postgresql.org/git/postgresql.git postgresql-git cd postgresql-git git archive --format=tar --output=../postgresql-9.6.20.tar REL9_6_20 bzip2 postgresql-9.6.20.tar dget http://security.debian.org/debian-security/pool/updates/main/p/postgresql-9.6/postgresql-9.6_9.6.19-0+deb9u1.dsc cd postgresql-9.6-9.6.19 uupdate ../postgresql-9.6.20.tar.bz2 cd ../postgresql-9.6-9.6.20 vim debian/changelog ## adjust version number dpkg-buildpackage -S -d cd .. repo_admin -F -p postgresql-9.6 -P postgresql-9.6_9.6.20-0.dsc -r 4.4 -s errata4.4-6 ============= But the build currently fails after successful compile in debian/rules override_dh_auto_test-arch: ============== initializing database system ============== pg_regress: initdb failed Examine /var/build/temp/tmp.NkTvZSZQER/postgresql-9.6-9.6.20/build/src/test/regress/log/initdb.log for the reason. Command was: "initdb" -D "/var/build/temp/tmp.NkTvZSZQER/postgresql-9.6-9.6.20/build/src/test/regress/./tmp_check/data" --noclean --nosync > "/var/build/temp /tmp.NkTvZSZQER/postgresql-9.6-9.6.20/build/src/test/regress/log/initdb.log" 2>&1 GNUmakefile:130: recipe for target 'check' failed make[2]: *** [check] Error 2
0ae18f2dcb | Advisory draft I took inspiration from https://salsa.debian.org/postgresql/postgresql/-/tree/9.6 which already has a changelog and an adjusted debian/rules to show more log output. Still it fails due to some trivial issue: ******** build/src/test/regress/log/initdb.log ******** Running in noclean mode. Mistakes will not be cleaned up. The files belonging to this database system will be owned by user "pbuser". This user must also own the server process. initdb: invalid locale settings; check LANG and LC_* environment variables
89e0cf3fcc | Advisory update Package: postgresql-9.6 Version: 9.6.20-0A~4.4.0.202011211523 Branch: ucs_4.4-0
OK: postgres 9.6.20 OK: tested with apps nextcloud, dashboard, pkgdb OK~: release for errata4.4-5 as requested, yaml update is at git 7bf8ade7 Verified
<https://errata.software-univention.de/#/?erratum=4.4x817>