[Buildroot] [PATCH 1/1] package/timescaledb: security bump to version 2.5.2

[Buildroot] [PATCH 1/1] package/timescaledb: security bump to version 2.5.2

[Fabrice Fontaine]

Fix CVE-2022-24128: Timescale TimescaleDB 1.x and 2.x before 2.5.2 may
allow privilege escalation during extension installation. The
installation process uses commands such as CREATE x IF NOT EXIST that
allow an unprivileged user to precreate objects. These objects will be
used by the installer (which executes as Superuser), leading to
privilege escalation. In order to be able to take advantage of this, an
unprivileged user would need to be able to create objects in a database
and then get a Superuser to install TimescaleDB into their database. (In
the fixed versions, the installation aborts when it finds that an object
already exists.)

"This release contains bug fixes since the 2.5.1 release.
This release is high priority for upgrade. We strongly recommend that
you upgrade as soon as possible."

https://github.com/timescale/timescaledb/releases/tag/2.5.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/timescaledb/timescaledb.hash | 2 +-
 package/timescaledb/timescaledb.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/timescaledb/timescaledb.hash b/package/timescaledb/timescaledb.hash
index 5690ce65b3..556cdaf329 100644
--- a/package/timescaledb/timescaledb.hash
+++ b/package/timescaledb/timescaledb.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  58a34a7a3a571339a019c0ae999b4ebb9f93e1e0cb828501e32bb073e0a25eac  timescaledb-2.5.1.tar.gz
+sha256  b1a20832189c22ce378f009f9a24ef1db61d7131f7f79bde74fdcde87bcf2d7c  timescaledb-2.5.2.tar.gz
 sha256  0378e0948feefd85f579319c74d6e2b671194037f550c7176ef26649d94c895b  LICENSE
diff --git a/package/timescaledb/timescaledb.mk b/package/timescaledb/timescaledb.mk
index b1e4342fe9..1d8b2a69a7 100644
--- a/package/timescaledb/timescaledb.mk
+++ b/package/timescaledb/timescaledb.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TIMESCALEDB_VERSION = 2.5.1
+TIMESCALEDB_VERSION = 2.5.2
 TIMESCALEDB_SITE = $(call github,timescale,timescaledb,$(TIMESCALEDB_VERSION))
 TIMESCALEDB_LICENSE = Apache-2.0
 TIMESCALEDB_LICENSE_FILES = LICENSE
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/timescaledb: security bump to version 2.5.2

[Thomas Petazzoni via buildroot]

On Sun, 20 Mar 2022 17:39:30 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Fix CVE-2022-24128: Timescale TimescaleDB 1.x and 2.x before 2.5.2 may
> allow privilege escalation during extension installation. The
> installation process uses commands such as CREATE x IF NOT EXIST that
> allow an unprivileged user to precreate objects. These objects will be
> used by the installer (which executes as Superuser), leading to
> privilege escalation. In order to be able to take advantage of this, an
> unprivileged user would need to be able to create objects in a database
> and then get a Superuser to install TimescaleDB into their database. (In
> the fixed versions, the installation aborts when it finds that an object
> already exists.)
> 
> "This release contains bug fixes since the 2.5.1 release.
> This release is high priority for upgrade. We strongly recommend that
> you upgrade as soon as possible."
> 
> https://github.com/timescale/timescaledb/releases/tag/2.5.2
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/timescaledb/timescaledb.hash | 2 +-
>  package/timescaledb/timescaledb.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/timescaledb: security bump to version 2.5.2

[Maxim Kochetkov via buildroot]

On 20.03.2022 19:39, Fabrice Fontaine wrote:
> Fix CVE-2022-24128: Timescale TimescaleDB 1.x and 2.x before 2.5.2 may
> allow privilege escalation during extension installation. The
> installation process uses commands such as CREATE x IF NOT EXIST that
> allow an unprivileged user to precreate objects. These objects will be
> used by the installer (which executes as Superuser), leading to
> privilege escalation. In order to be able to take advantage of this, an
> unprivileged user would need to be able to create objects in a database
> and then get a Superuser to install TimescaleDB into their database. (In
> the fixed versions, the installation aborts when it finds that an object
> already exists.)
> 
> "This release contains bug fixes since the 2.5.1 release.
> This release is high priority for upgrade. We strongly recommend that
> you upgrade as soon as possible."
> 
> https://github.com/timescale/timescaledb/releases/tag/2.5.2
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/timescaledb: security bump to version 2.5.2

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2022-24128: Timescale TimescaleDB 1.x and 2.x before 2.5.2 may
 > allow privilege escalation during extension installation. The
 > installation process uses commands such as CREATE x IF NOT EXIST that
 > allow an unprivileged user to precreate objects. These objects will be
 > used by the installer (which executes as Superuser), leading to
 > privilege escalation. In order to be able to take advantage of this, an
 > unprivileged user would need to be able to create objects in a database
 > and then get a Superuser to install TimescaleDB into their database. (In
 > the fixed versions, the installation aborts when it finds that an object
 > already exists.)

 > "This release contains bug fixes since the 2.5.1 release.
 > This release is high priority for upgrade. We strongly recommend that
 > you upgrade as soon as possible."

 > https://github.com/timescale/timescaledb/releases/tag/2.5.2

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x, 2021.11.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot