"The PostgreSQL Global Development Group has released updates to patch a privilege escalation exploit in SECURITY DEFINER functions. The fix is available in 8.2.4, 8.1.9, 8.0.13, 7.4.17, and 7.3.19 and all users of this feature are strongly urged to update to the latest minor version and follow instructions on securing these functions as soon as possible." dev-db/postgresql-8.0.12 is the latest stable version on x86, and is vulnerable.
please provide an updated ebuild
If a GLSA is issued, it should refer users to http://www.postgresql.org/docs/techdocs.77 (Creating Secure Security Definer Functions), as the code for all security definer functions written by the user will need to be updated to properly secure the database.
dev-db/postgresql-8.0.13 and its dep dev-db/libpq-8.0.13 are in the tree and need to be marked stable. As per the release notes (http://www.postgresql.org/docs/8.0/static/release.html#RELEASE-8-0-13), there are very few changes over 8.0.12 (the current stable version) and they are all minor fixes. If at all possible, 7.3.19 and 7.4.17 should also be marked stable, as they provide a much easier upgrade path for users than jumping to 8.0.13 (which requires a database dump/reload when upgrading from 7.x) 8.2.4 and 8.1.9 can remain in ~arch, as the 8.1.x and 8.2.x series are not currently stable on any archs.
aross: 7.3, 7.4, 8.0, 8.1 and 8.2 are major versions which will be kept in the tree and have to be bumped as well. I'm taking care of this. Thanks
Thanks aross and dev-zero. Arches, the snowball is in your court, please stabilize: dev-db/postgresql-7.3.19 dev-db/postgresql-7.4.17 dev-db/postgresql-8.0.13
I suppose we should match this with the corresponding libpq versions too right?
ia64 + x86 stable
sparc stable.
amd64 stable.
Stable for HPPA.
ppc stable
ppc64 stable
dev-db/postgresql-7.3.19 dev-db/postgresql-7.4.17 dev-db/postgresql-8.0.13 Stable on alpha.
GLSA 200705-12 arm, mips, s390 don't forget to mark stable to benifit from the GLSA.
