175791 2007-04-24 03:29 0000 dev-db/postgresql privilege escalation in SECURITY DEFINER functions (CVE-2007-2138) 2007-09-23 00:24:34 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.postgresql.org/about/news.791 B3 [glsa] P2 normal --- 1 aross@gentoo.org security@gentoo.org bernd@linx.net chainsaw@gentoo.org esigra@gmail.com mips@gentoo.org pgsql-bugs@gentoo.org aross@gentoo.org 2007-04-24 03:29:13 0000 "The PostgreSQL Global Development Group has released updates to patch a privilege escalation exploit in SECURITY DEFINER functions. The fix is available in 8.2.4, 8.1.9, 8.0.13, 7.4.17, and 7.3.19 and all users of this feature are strongly urged to update to the latest minor version and follow instructions on securing these functions as soon as possible." dev-db/postgresql-8.0.12 is the latest stable version on x86, and is vulnerable. vorlon@gentoo.org 2007-04-24 16:04:21 0000 please provide an updated ebuild aross@gentoo.org 2007-04-30 23:07:46 0000 If a GLSA is issued, it should refer users to http://www.postgresql.org/docs/techdocs.77 (Creating Secure Security Definer Functions), as the code for all security definer functions written by the user will need to be updated to properly secure the database. aross@gentoo.org 2007-05-03 04:57:02 0000 dev-db/postgresql-8.0.13 and its dep dev-db/libpq-8.0.13 are in the tree and need to be marked stable. As per the release notes (http://www.postgresql.org/docs/8.0/static/release.html#RELEASE-8-0-13), there are very few changes over 8.0.12 (the current stable version) and they are all minor fixes. If at all possible, 7.3.19 and 7.4.17 should also be marked stable, as they provide a much easier upgrade path for users than jumping to 8.0.13 (which requires a database dump/reload when upgrading from 7.x) 8.2.4 and 8.1.9 can remain in ~arch, as the 8.1.x and 8.2.x series are not currently stable on any archs. dev-zero@gentoo.org 2007-05-03 14:40:12 0000 aross: 7.3, 7.4, 8.0, 8.1 and 8.2 are major versions which will be kept in the tree and have to be bumped as well. I'm taking care of this. Thanks aetius@gentoo.org 2007-05-03 18:34:42 0000 Thanks aross and dev-zero. Arches, the snowball is in your court, please stabilize: dev-db/postgresql-7.3.19 dev-db/postgresql-7.4.17 dev-db/postgresql-8.0.13 gustavoz@gentoo.org 2007-05-04 13:00:37 0000 I suppose we should match this with the corresponding libpq versions too right? armin76@gentoo.org 2007-05-04 13:12:39 0000 ia64 + x86 stable gustavoz@gentoo.org 2007-05-04 15:31:57 0000 sparc stable. voxus@gentoo.org 2007-05-04 16:37:59 0000 amd64 stable. jer@gentoo.org 2007-05-04 19:05:58 0000 Stable for HPPA. dertobi123@gentoo.org 2007-05-05 10:26:09 0000 ppc stable corsair@gentoo.org 2007-05-05 13:20:37 0000 ppc64 stable yoswink@gentoo.org 2007-05-06 22:20:15 0000 dev-db/postgresql-7.3.19 dev-db/postgresql-7.4.17 dev-db/postgresql-8.0.13 Stable on alpha. jaervosz@gentoo.org 2007-05-10 18:56:24 0000 GLSA 200705-12 arm, mips, s390 don't forget to mark stable to benifit from the GLSA.