Re: a vulnerability in PostgreSQL - Mailing list pgsql-hackers

From Lamar Owen
Subject Re: a vulnerability in PostgreSQL
Date
Msg-id 200205031332.53813.lamar.owen@wgcr.org
Whole thread Raw
In response to Re: a vulnerability in PostgreSQL  (Lincoln Yeoh <lyeoh@pop.jaring.my>)
List pgsql-hackers
On Thursday 02 May 2002 11:43 pm, Lincoln Yeoh wrote:
> Any idea which versions of Postgresql have been bundled with O/S CDs?

For RedHat:
5.0    -> PG6.2.1
5.1    -> PG6.3.2
5.2    -> PG6.3.2
6.0    -> PG6.4.2
6.1    -> PG6.5.2 (I think -- this was my first RPMset in Red Hat Linux, but I'm 
not 100% sure it was 6.5.2 -- it might have been 6.5.3)
6.2    -> PG6.5.3
7.0    -> PG7.0.2
7.1    -> PG7.0.3
7.2    -> PG7.1.3
7.2.93 > PG7.2.1

Red Hat 7.2 is the current official Red Hat, and _currently_ ships with 7.1.3.  
If this bug applies there, it should be backpatched, and I would be willing 
to roll another 7.1.3 RPM with the backpatch in it.

Prior to that -- well, I don't have any machines running those versions any 
more.  I stay pretty much on the frontline of things -- not the bleeding edge 
of RawHide, but close.  I have had the 7.2.93 beta installed, for instance.  
I'm even going to get out of the Red Hat 6.2 on SPARC business at some point, 
by going to the Aurora version (current Red Hat version ported to SPARC).  
6.2 is just old, and iptables on the 2.4 kernel is just too useful.

I guess I _could_ reinstall an OS to provide a security patch -- but methinks 
Red Hat would do that as an errata instead.  If a patch can be worked up, it 
should be passed through those channels.  Unless we want to consider rolling 
6.5.4, 7.0.4, and 7.1.4 security bugfix releases.

Of course, this is open source, and there's nothing preventing a third party 
from forking off and releasing a 6.5.4 bugfix release.  But I wouldn't count 
on getting core developers to interested in it -- the bug is fixed in the 
current version, and their time is far better spent on fixing bugs and 
developing new features in the current version.  

And I'm sure that if someone wanted to volunteer to provide a patchset for 
each affected version, Bruce might just apply them, and you might talk Marc 
into rolling them up.  But good luck doing so.  Then I'd be happy building 
RPMs out of them -- on the my current box.  You would then have to rebuild 
the RPMs for your box from my src.rpm.

'Upgrade to the next version' is not a good answer, either, particularly since 
we don't have a true upgrade path, and the problems that dump/restore 
reinstalls have brought to light.

In a similar vein, due to some baroque dependencies, I still have a client 
running RedHat 5.2 in production.  Not pretty to support.  Still at 6.5.3, 
too.

We need a better upgrade path, but that's a different discussion.
-- 
Lamar Owen
WGCR Internet Radio
1 Peter 4:11


pgsql-hackers by date:

Previous
From: mlw
Date:
Subject: Re: HEADS UP: Win32/OS2/BeOS native ports
Next
From: Neil Conway
Date:
Subject: Re: set constraints behavior