Below is an excerpt from a SANS security email I get weekly: 04.23.22 CVE: Not Available Platform: Cross Platform Title: PostgreSQL ODBC Driver Remote Buffer Overflow Description: The PostgreSQL ODBC driver is reportedly vulnerable to an unspecified remote buffer overflow. PostgreSQL version 7.2.1 was reported vulnerable. Ref: http://www.securityfocus.com/advisories/6819 I'm not sure if this even applies to the version we currently have marked stable in the tree: * dev-db/postgresql Latest version available: 7.4 ^^ the current version I see is 7.4, but it would be wise to double check that version 7.4 isn't really vulnerable.
This is not very clear. It seems the problem is in the crrent versions too. From : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=247306 http://archives.postgresql.org/pgsql-odbc/2004-06/msg00022.php http://archives.postgresql.org/pgsql-bugs/2004-05/msg00092.php it appears that Debian patched a few buffer overflows but there are several more in the PostgreSQL ODBC driver. There is no upstream fix for the moment... so we can apply the Debian patch and bump, or wait for upstream to fix things correctly. But they don't appear to be in a hurry to do so... If someone has the email for the postgresql herd (maintainer of this package according to metadata.xml), postgresql@gentoo.org doesn't work...
No fix upstream, no maintainer here AFAICT... What should we do ?
Patch from upstream, not committed yet : http://archives.postgresql.org/pgsql-odbc/2004-07/msg00049.php Cc: nakano for the postgresql herd (postgresql@gentoo.org doesn't seem to work).
adding pgsql-bugs@gentoo.org
sent email to pgsql-bugs directly asking for some help.
we don't have postgresql 7.2* in portage tree. the odbc driver has been removed in postgresql-7.3* or later. (the driver became other package called psqlodbc, but we don't have it as well.) so, we don't need to do anything about this securiy problem.
Nice. Closing as INVALID.