Latest fixed version are: 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22 and 7.4.26. See also upstream: http://www.postgresql.org/ftp/source/ Reproducible: Always
8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22 are in 7.4.26 needs some autotools love for bump and is close to EOL upstream.
CVE-2009-3229 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3229): The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service (backend shutdown) by "re-LOAD-ing" libraries from a certain plugins directory. CVE-2009-3230 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3230): The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600. CVE-2009-3231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3231): The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
7.4.26 also commited. All slots have new enough versions available.
Ok, this was a bit confusing. Since we intended to mask dev-db/libpq and dev-db/postgresql I focussed on dev-db/postgresql-{base,server}. Those have had new enough versions now. Because the keywording was slowed down I've bumped libpq and postgresql now. So both sets of packages should have new enough versions. Sorry for the delay.
(In reply to comment #4) > Ok, this was a bit confusing. > > Since we intended to mask dev-db/libpq and dev-db/postgresql I focussed on > dev-db/postgresql-{base,server}. Those have had new enough versions now. > > Because the keywording was slowed down I've bumped libpq and postgresql now. > So both sets of packages should have new enough versions. Sorry for the delay. There is a stabilisation bug open in bug 285475 which is blocking other stabilisations, because of some issues. The bug has patches attached, maybe they should be incorporated.
dev-db/postgresql is now gone. Close bug?
This should be resolved along with bug 320967
This issue was resolved and addressed in GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml by GLSA coordinator Alex Legler (a3li).