First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 175791
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Andrew Ross (RETIRED) <aross@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 175791 depends on: Show dependency tree
Bug 175791 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-04-24 03:29 0000 
"The PostgreSQL Global Development Group has released updates to patch a
privilege escalation exploit in SECURITY DEFINER functions. The fix is
available in 8.2.4, 8.1.9, 8.0.13, 7.4.17, and 7.3.19 and all users of this
feature are strongly urged to update to the latest minor version and follow
instructions on securing these functions as soon as possible."

dev-db/postgresql-8.0.12 is the latest stable version on x86, and is
vulnerable.

------- Comment #1 From Matthias Geerdsen 2007-04-24 16:04:21 0000 ------- 
please provide an updated ebuild

------- Comment #2 From Andrew Ross (RETIRED) 2007-04-30 23:07:46 0000 ------- 
If a GLSA is issued, it should refer users to
http://www.postgresql.org/docs/techdocs.77 (Creating Secure Security Definer
Functions), as the code for all security definer functions written by the user
will need to be updated to properly secure the database.

------- Comment #3 From Andrew Ross (RETIRED) 2007-05-03 04:57:02 0000 ------- 
dev-db/postgresql-8.0.13 and its dep dev-db/libpq-8.0.13 are in the tree and
need to be marked stable. As per the release notes
(http://www.postgresql.org/docs/8.0/static/release.html#RELEASE-8-0-13), there
are very few changes over 8.0.12 (the current stable version) and they are all
minor fixes.

If at all possible, 7.3.19 and 7.4.17 should also be marked stable, as they
provide a much easier upgrade path for users than jumping to 8.0.13 (which
requires a database dump/reload when upgrading from 7.x)

8.2.4 and 8.1.9 can remain in ~arch, as the 8.1.x and 8.2.x series are not
currently stable on any archs.

------- Comment #4 From Tiziano Müller 2007-05-03 14:40:12 0000 ------- 
aross: 7.3, 7.4, 8.0, 8.1 and 8.2 are major versions which will be kept in the
tree and have to be bumped as well. I'm taking care of this. Thanks

------- Comment #5 From Matt Drew 2007-05-03 18:34:42 0000 ------- 
Thanks aross and dev-zero.  Arches, the snowball is in your court, please
stabilize:

dev-db/postgresql-7.3.19
dev-db/postgresql-7.4.17
dev-db/postgresql-8.0.13

------- Comment #6 From Gustavo Zacarias (RETIRED) 2007-05-04 13:00:37 0000 ------- 
I suppose we should match this with the corresponding libpq versions too right?

------- Comment #7 From Raúl Porcel 2007-05-04 13:12:39 0000 ------- 
ia64 + x86 stable

------- Comment #8 From Gustavo Zacarias (RETIRED) 2007-05-04 15:31:57 0000 ------- 
sparc stable.

------- Comment #9 From Konstantin Arkhipov 2007-05-04 16:37:59 0000 ------- 
amd64 stable.

------- Comment #10 From Jeroen Roovers 2007-05-04 19:05:58 0000 ------- 
Stable for HPPA.

------- Comment #11 From Tobias Scherbaum 2007-05-05 10:26:09 0000 ------- 
ppc stable

------- Comment #12 From Markus Rothe 2007-05-05 13:20:37 0000 ------- 
ppc64 stable

------- Comment #13 From Jose Luis Rivero (yoswink) 2007-05-06 22:20:15 0000 ------- 
dev-db/postgresql-7.3.19
dev-db/postgresql-7.4.17
dev-db/postgresql-8.0.13

Stable on alpha.

------- Comment #14 From Sune Kloppenborg Jeppesen 2007-05-10 18:56:24 0000 ------- 
GLSA 200705-12

arm, mips, s390 don't forget to mark stable to benifit from the GLSA.
First Last Prev Next    No search results available      Search page      Enter new bug