Please see [1]. Perhaps our postgresql devs might know what the issue is and make a better decision, but I wonder if we should mask postgresql until we have better information. [1] - http://www.postgresql.org/message-id/14040.1364490185%40sss.pgh.pa.us Reproducible: Always
PostgreSQL does not yet need to be masked. The vulnerability is not public, yet. Patrick or I will bump it as soon as we see the tarballs available upstream, which is usually a day before an announcement. We do expect to be quick about it, all of us collectively. You know, like Gentoo penguins.
Any news? The update isn't out yet but will be released today. According to the #postgresql channel Debian, FreeBSD, etc. people already got the update to spread it to their mirrors etc. So if Gentoo was just as quick once it's out it would be surely great
Hey, guys! How about bump? http://www.postgresql.org/about/news/1456/
QA: One of you available to bump?
Working on this now. Was released 2 hours ago while I was at work. I'm on lunch now and it will get bumped shortly.
CVE-2013-1899 <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13} ------------------------------------------------------------ A connection request containing a database name that begins with "-" may be crafted to damage or destroy files within a server's data directory. CVE-2013-1900 <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13,8.4.17} ------------------------------------------------------------------- Random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess CVE-2013-1901 <dev-db/postgresql-server-{9.2.4,9.1.9} ----------------------------------------------------- An unprivileged user can run commands that could interfere with in-progress backups.
Stabilization targets: =dev-db/postgresql-docs-8.4.17 =dev-db/postgresql-docs-9.0.13 =dev-db/postgresql-docs-9.1.9 =dev-db/postgresql-docs-9.2.4 =dev-db/postgresql-base-8.4.17 =dev-db/postgresql-base-9.0.13 =dev-db/postgresql-base-9.1.9 =dev-db/postgresql-base-9.2.4 =dev-db/postgresql-server-8.4.17 =dev-db/postgresql-server-9.0.13 =dev-db/postgresql-server-9.1.9 =dev-db/postgresql-server-9.2.4
Thanks Aaron. I thought that maybe no-one was actively available to look at the issue when it was indicated that the tarballs would have been out for some time now.
(In reply to comment #8) > Thanks Aaron. I thought that maybe no-one was actively available to look at > the issue when it was indicated that the tarballs would have been out for > some time now. No problem. The tarballs did become available shortly before the announcement. I'm not sure how much earlier, but probably less than half an hour.
amd64 stable
x86 stable
ppc stable
ppc64 stable
CVE-2013-{1902,1903} do not affect us. We do not use EnterpriseDB's installers.
Stable for HPPA.
alpha stable
ia64 stable
arm stable
s390 stable
sh stable
sparc stable
Removal of vulnerable, done. Security, please vote.
GLSA vote: yes.
CVE-2013-1901 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1901): PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. CVE-2013-1900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1900): PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." CVE-2013-1899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1899): Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).
On GLSA draft.
This issue was resolved and addressed in GLSA 201408-15 at http://security.gentoo.org/glsa/glsa-201408-15.xml by GLSA coordinator Kristian Fiskerstrand (K_F).