Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Hello postgreSQL team, a little DoS vulnerability with the corrected versions
below:

Posted on 2006-10-16
Posted by josh@postgresql.org

The PostgreSQL project today is releasing the following minor versions, which
fix three different crash vulnerabilities as well as an assortment of minor
issues. Users of all PostgreSQL versions are urged to upgrade at the earliest
opportunity.

The versions being released are: 8.1.5, 8.0.9, 7.4.14, 7.3.16. These are
cumulative patch releases which simply replace the PostgreSQL binaries for
major versions 8.1, 8.0, 7.4 and 7.3. Note that users of versions 7.4.0, 7.4.1,
8.0.0 and 8.0.1 may have to take additional steps in the course of upgrading --
see the release notes for details.

Release Notes
Download

The three crash conditions are not considered critical vulnerabilities, because
all three require authenticated access to the database with the ability to run
ad-hoc queries, and none can be exploited for privilege escalation. As a
result, we have NOT filed a CVE for these issues.

Source for these releases is currently available, as well as binaries for
Windows and some distributions of Linux. Binaries for Solaris, other Linuxen,
and OSX should be obtained from their respective vendors.

chtekk or dev-zero any news here? please advise

Sorry for the delay. I think that we can release the version bump this weekend.

We (chtekk and I) have to decide whether and how some improvements of the
ebuilds we have in the overlay should be back-ported to the ebuilds in the tree
for the new version.

After the version bump, I'll open a stabilization-bug with the request to
stable the new postgresql-versions within 7-10 days. This is a reasonable
duration since it's not a critical vulnerability and should be manageable by
the arch-teams.

(In reply to comment #2)
> Sorry for the delay. I think that we can release the version bump this weekend.

thanks

> 
> We (chtekk and I) have to decide whether and how some improvements of the
> ebuilds we have in the overlay should be back-ported to the ebuilds in the tree
> for the new version.

as you want :)



> After the version bump, I'll open a stabilization-bug with the request to
> stable the new postgresql-versions within 7-10 days. This is a reasonable
> duration since it's not a critical vulnerability and should be manageable by
> the arch-teams.

yes OK

Pulling in herd for advise.

Hi arches, please remove yourself from the Cc: list when you stabilize the
targetted versions, as usual.

Target keywords are:

8.0.9(-r1)?  on all Cced arches (the maintainer wishes 8.0.9-r1)
7.4.14 on all Cced arches
7.3.16 on all Cced arches except PPC64


8.1.15 is not needed in the security scope.

There's a dependency with dev-db/libpq, see bug 158075.

removing X86 from Cc for our statistics, sorry for the spam :)

*** Bug 158075 has been marked as a duplicate of this bug. ***

Arches everything is handled here now:

dev-db/postgresql:
8.0.9-r1  on all Cced arches
7.4.14 on all Cced arches
7.3.16 on all Cced arches except PPC64

and dev-db/libpq  as a dependency

thanks

spam, spam...

ppc64 stable

ppc stable

SPARC stable

Stable on Alpha + ia64.

amd64 stable.

stable on hppa.

(In reply to comment #12)
> SPARC stable
> 

hi Jason,

postgresql-7.3.16 seems to be missing: is it expected?

Security team: Time To Vote

I vote no because of the needed authentication before triggering the DoS

Looks like I goofed on 7.3.16.  It's fixed now.  Thanks.

I tend to vote NO.

Not sure about this one. Authentication is no real criteria IMHO, since every
stupid webabb uses an authenticated connection. Unless somebody can enlighten
me on the exact requirement to exploit this I tend to vote YES.

closing with noglsa since there wasn't any "Yes". Feel free to reopen if you
disagree.

As usual, arm, mips, s390 and sh, don't forget to mark stable the new version
at your convenience.