New upstream microreleases 10.18 12.8 13.4

Bug #1939396 reported by Christian Ehrhardt 
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-10 (Ubuntu)
Bionic
Fix Released
Undecided
Unassigned
postgresql-12 (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
postgresql-13 (Ubuntu)
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Committed
Undecided
Unassigned

Bug Description

[Impact]

 * MRE for latest stable fixes of Postgres released on May 2021

[Test Case]

 * The Postgres MREs traditionally rely on the large set of autopkgtests
   to run for verification. In a PPA those are all already pre-checked to
   be good for this upload.

[Regression Potential]

 * Upstreams tests are usually great and in additon in the Archive there
   are plenty of autopkgtests that in the past catched issues before being
   released.
   But never the less there always is a risk for something to break. Since
   these are general stable releases I can't pinpoint them to a most-likely
   area.
   - usually this works smoothly except a few test hickups (flaky) that need to be
     clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)

[Other Info]

 * This is a reoccurring MRE, see below and all the references
 * CVEs this time
   - CVE-2021-3677 (v13)
   - Fix related to CVE-2021-3449 (v10, v12, v13)
     - while being an openssl issue it affects derived programs
       built against 1.1.0h and newer which translates into >=bionic
       thereby (v10, v12, v13)
   - related to CVE-2006-2313 (v10, v12, v13)
     - this is only "similar" but not the same so the changelog
       will not reference it

---

Current versions in supported releases that got updates:

 postgresql-13 | 13.3-1build1 | impish | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
 postgresql-13 | 13.3-0ubuntu0.21.04.1 | hirsute-updates | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
 postgresql-12 | 12.7-0ubuntu0.20.04.1 | focal-updates | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
 postgresql-10 | 10.17-0ubuntu0.18.04.1 | bionic-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x

Special cases:
- Impish is soon synced from Debian as usual.

Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676
- pad.lv/1752271
- pad.lv/1786938
- pad.lv/1815665
- pad.lv/1828012
- pad.lv/1833211
- pad.lv/1839058
- pad.lv/1863108
- pad.lv/1892335
- pad.lv/1915254
- pad.lv/1928773

As usual we test and prep from the PPA and then push through SRU/Security as applicable.

CVE References

Changed in postgresql-10 (Ubuntu Bionic):
status: New → Triaged
Changed in postgresql-12 (Ubuntu):
status: New → Invalid
Changed in postgresql-12 (Ubuntu Focal):
status: New → Triaged
Changed in postgresql-13 (Ubuntu Hirsute):
status: New → Triaged
Changed in postgresql-13 (Ubuntu Impish):
status: New → Triaged
information type: Private → Private Security
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Bionic
https://bileto.ubuntu.com/#/ticket/4638
https://bileto.ubuntu.com/excuses/4638/bionic.html
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4638/+packages

build complete and good

Tests completed, hit only a few issues
ubuntu-sru:70:force-badtest diaspora-installer/0.7.3.1+debian2ubuntu2/armhf
No problem since it is a known badtest

dovecot/1:2.2.33.2-1ubuntu4.7 @ armhf
This is a known flaky test which I retried

Changed in postgresql-10 (Ubuntu Bionic):
status: Triaged → Fix Committed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Due to the Debian Freeze we might need to upload to Impish (content wise the same as hirsute) ourselves this time.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Flaky bionic test resolved - bionic is all-good now.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Focal tests also completed, all good except a known flaky libreoffice armhf test.
I have restarted, but we can ignore it.

Hirsute also completed build now and tests look good so far.
One fail with Disapora - but only due to trying to load from github which is forbidden and not a problem due to the new postgresql.
A few tests are still running, so we give it some more time.

P.S. Also the official release is only a little bit later today.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Perfect, I've uploaded the packages to the security team PPA for building. Thanks!

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The remaining hirsute fail is also known
ubuntu-release:97:force-reset-test diaspora-installer/0.7.6.1+debian1

We are all good unless there are last minute changes in the release.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Due to the Freeze Debian won't upload in time, but I have prepped and tested it there as well.
Will do so once we can go public.

Thanks Marc for carrying that through the security release process.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

It is public now

Latest Releases
2021-08-12 - PostgreSQL 13.4, 12.8, 11.13, 10.18, 9.6.23, and 14 Beta 3 Released!

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.4, 12.8, 11.13, 10.18, and 9.6.23, as well as the third beta release of PostgreSQL 14. This release closes one security vulnerability and fixes over 75 bugs reported over the last three months.

PostgreSQL 9.6 will stop receiving fixes on November 11, 2021. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL.

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 14 in your systems to help us eliminate bugs or other issues that may exist. While we do not advise you to run PostgreSQL 14 Beta 3 in your production environments, we encourage you to find ways to run your typical application workloads against this beta release.

13.4 · 2021-08-12 · Notes
12.8 · 2021-08-12 · Notes
11.13 · 2021-08-12 · Notes
10.18 · 2021-08-12 · Notes
9.6.23 · 2021-08-12 · Notes

Marking it public now

information type: Private Security → Public Security
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

As synced with Myon for Debian 13.4 is uploaded.
  postgresql-13 | 13.4-1 | unstable | source, amd64, arm64, i386, ppc64el, s390x
For Impish comes via sync from there.
It will be in impish as well tonight via auto-sync (might be disabled already) or once I hit sync tomorrow morning (it isn't visible to LP yet, not manually syncable right now).

@Marc - that means the remaining work to release it to older releases is up to you now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-10 - 10.18-0ubuntu0.18.04.1

---------------
postgresql-10 (10.18-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * New upstream version (LP: #1939396).

    + Disallow SSL renegotiation more completely (Michael Paquier)

      SSL renegotiation has been disabled for some time, but the server
      would still cooperate with a client-initiated renegotiation request.
      A maliciously crafted renegotiation request could result in a server
      crash (see OpenSSL issue CVE-2021-3449). Disable the feature
      altogether on OpenSSL versions that permit doing so, which are
      1.1.0h and newer.
      (CVE-2021-3449)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/release-10-18.html

    + d/p/reproducible-bki: refreshed for 10.18

 -- Christian Ehrhardt <email address hidden> Tue, 10 Aug 2021 14:18:35 +0200

Changed in postgresql-10 (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-12 - 12.8-0ubuntu0.20.04.1

---------------
postgresql-12 (12.8-0ubuntu0.20.04.1) focal-security; urgency=medium

  * New upstream version (LP: #1939396).

    + Disallow SSL renegotiation more completely (Michael Paquier)

      SSL renegotiation has been disabled for some time, but the server
      would still cooperate with a client-initiated renegotiation request.
      A maliciously crafted renegotiation request could result in a server
      crash (see OpenSSL issue CVE-2021-3449). Disable the feature
      altogether on OpenSSL versions that permit doing so, which are
      1.1.0h and newer.
      (CVE-2021-3449)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/12/release-12-8.html

 -- Christian Ehrhardt <email address hidden> Tue, 10 Aug 2021 14:18:34 +0200

Changed in postgresql-12 (Ubuntu Focal):
status: Triaged → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Synced as planend:
 postgresql-13 | 13.4-1 | impish-proposed | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x

B/F/H fixed
 postgresql-13 | 13.4-0ubuntu0.21.04.1 | hirsute-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
 postgresql-12 | 12.8-0ubuntu0.20.04.1 | focal-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
 postgresql-10 | 10.18-0ubuntu0.18.04.1 | bionic-security | source, amd64, arm64, armhf, i386, ppc64el, s390x

Somehow the automation missed the hirsute task.

Changed in postgresql-13 (Ubuntu Hirsute):
status: Triaged → Fix Released
Changed in postgresql-13 (Ubuntu Impish):
status: Triaged → Fix Committed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Impish build is fine
https://launchpad.net/ubuntu/+source/postgresql-13/13.4-1

Just due to glibc the tests hold it back a while longer.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The known pgplogical issue (was a test reset) is worse on armhf where it soemtimes works only to then no more work for many many retries
I've filed a hint to ignore it in impish on the current version.
 => https://code.launchpad.net/~paelzer/britney/+git/hints-ubuntu/+merge/407175

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.