Home > mailing lists

Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf - Mailing list pgsql-general

From	Bruce Momjian
Subject	Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf
Date	April 4, 2013 19:44:44
Msg-id	20130404164437.GB13856@momjian.us Whole thread Raw
In response to	CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf (Mads.Tandrup@schneider-electric.com)
Responses	Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf
List	pgsql-general

Tree view

On Thu, Apr  4, 2013 at 06:39:22PM +0200, Mads.Tandrup@schneider-electric.com wrote:
> Hi All
>
> I'm trying to understand the implications of the latest security fix to
> postgresql [1].
>
> We have a setup were we in pg_hba.conf have limited the allowed IP addresses of
> the clients. But does anyone know if CVE-2013-1899 allows an arbitrary attacker
> to use the exploits described in [1]?

Yes, if you were running 9.0+.  pg_hba.conf does not limit access
sufficiently, though listen_addresses does.

> We are using PostgreSQL 8.4.

8.4 does not contain the bug.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +

pgsql-general by date:

From: Devrim Gündüz
Date: 04 April 2013, 19:43:51
Subject: Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf

From: David Wall
Date: 04 April 2013, 20:08:54
Subject: Re: Permissions on large objects - db backup and restore

Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf - Mailing list pgsql-general

Previous

Next