Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 68865

Summary: Postgresql Upgrade Available for "insecure creation of temporary files"
Product: Gentoo Security Reporter: Scott Langley <scott>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: esigra
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.postgresql.org/news/234.html
Whiteboard:
Package list:
Runtime testing required: ---

Description Scott Langley 2004-10-25 10:38:41 UTC 
"PostgreSQL Security Release(s) for 7.2, 7.3 and 7.4
Posted on 2004-10-23
Posted by press at PostgreSQL.org

In order to address a recent security report from iDefence, we have released 3 new "point" releases: 7.2.6, 7.3.8 and 7.4.6

Although rated only a Medium risk, according to their web site: "A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files."

Also in these releases is a potential 'data loss' bug that was recently identified:

* Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not access transaction status" failures, which qualifies it as a potential-data-loss bug."
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-10-25 11:03:59 UTC 
the vulnerability has already been addressed in bug #66371 and glsa 200410-16:
http://www.gentoo.org/security/en/glsa/glsa-200410-16.xml

update to postgresql >= 7.4.5-r2 or 7.3.7-r2.

postgresql 7.3.8 and 7.4.6 are already in portage, currently marked unstable.


*** This bug has been marked as a duplicate of 66371 ***