Hello postgreSQL team, a little DoS vulnerability with the corrected versions below: Posted on 2006-10-16 Posted by josh@postgresql.org The PostgreSQL project today is releasing the following minor versions, which fix three different crash vulnerabilities as well as an assortment of minor issues. Users of all PostgreSQL versions are urged to upgrade at the earliest opportunity. The versions being released are: 8.1.5, 8.0.9, 7.4.14, 7.3.16. These are cumulative patch releases which simply replace the PostgreSQL binaries for major versions 8.1, 8.0, 7.4 and 7.3. Note that users of versions 7.4.0, 7.4.1, 8.0.0 and 8.0.1 may have to take additional steps in the course of upgrading -- see the release notes for details. Release Notes Download The three crash conditions are not considered critical vulnerabilities, because all three require authenticated access to the database with the ability to run ad-hoc queries, and none can be exploited for privilege escalation. As a result, we have NOT filed a CVE for these issues. Source for these releases is currently available, as well as binaries for Windows and some distributions of Linux. Binaries for Solaris, other Linuxen, and OSX should be obtained from their respective vendors.
chtekk or dev-zero any news here? please advise
Sorry for the delay. I think that we can release the version bump this weekend. We (chtekk and I) have to decide whether and how some improvements of the ebuilds we have in the overlay should be back-ported to the ebuilds in the tree for the new version. After the version bump, I'll open a stabilization-bug with the request to stable the new postgresql-versions within 7-10 days. This is a reasonable duration since it's not a critical vulnerability and should be manageable by the arch-teams.
(In reply to comment #2) > Sorry for the delay. I think that we can release the version bump this weekend. thanks > > We (chtekk and I) have to decide whether and how some improvements of the > ebuilds we have in the overlay should be back-ported to the ebuilds in the tree > for the new version. as you want :) > After the version bump, I'll open a stabilization-bug with the request to > stable the new postgresql-versions within 7-10 days. This is a reasonable > duration since it's not a critical vulnerability and should be manageable by > the arch-teams. yes OK
Pulling in herd for advise.
Hi arches, please remove yourself from the Cc: list when you stabilize the targetted versions, as usual. Target keywords are: 8.0.9(-r1)? on all Cced arches (the maintainer wishes 8.0.9-r1) 7.4.14 on all Cced arches 7.3.16 on all Cced arches except PPC64 8.1.15 is not needed in the security scope. There's a dependency with dev-db/libpq, see bug 158075.
removing X86 from Cc for our statistics, sorry for the spam :)
*** Bug 158075 has been marked as a duplicate of this bug. ***
Arches everything is handled here now: dev-db/postgresql: 8.0.9-r1 on all Cced arches 7.4.14 on all Cced arches 7.3.16 on all Cced arches except PPC64 and dev-db/libpq as a dependency thanks
spam, spam...
ppc64 stable
ppc stable
SPARC stable
Stable on Alpha + ia64.
amd64 stable.
stable on hppa.
(In reply to comment #12) > SPARC stable > hi Jason, postgresql-7.3.16 seems to be missing: is it expected?
Security team: Time To Vote I vote no because of the needed authentication before triggering the DoS
Looks like I goofed on 7.3.16. It's fixed now. Thanks.
I tend to vote NO.
Not sure about this one. Authentication is no real criteria IMHO, since every stupid webabb uses an authenticated connection. Unless somebody can enlighten me on the exact requirement to exploit this I tend to vote YES.
closing with noglsa since there wasn't any "Yes". Feel free to reopen if you disagree. As usual, arm, mips, s390 and sh, don't forget to mark stable the new version at your convenience.