Re: postgresql command line exploit found in the wild - Mailing list pgsql-general

From Merlin Moncure
Subject Re: postgresql command line exploit found in the wild
Date
Msg-id CAHyXU0ydehUfsnAio8SRXog_drMa-nASM+cyEEeydGmx1DcU7w@mail.gmail.com
Whole thread Raw
In response to Re: postgresql command line exploit found in the wild  ("Daniel Verite" <daniel@manitou-mail.org>)
List pgsql-general
On Mon, Apr 8, 2013 at 10:48 AM, Daniel Verite <daniel@manitou-mail.org> wrote:
>         Merlin Moncure wrote:
>
>> if you have an internet facing database, patch it immediately!
>
> By the way:
>
> People running 9.1 on debian stable (squeeze) typically use this package:
> http://packages.debian.org/squeeze-backports/postgresql-9.1
>
> Currently, it looks like the fix is only available in pre-compiled form for
> the amd64 architecture (see the bottom of the page). All other archs
> including the popular i386 are stuck at version: 9.1.7-1~bpo60+1
>
> I find it problematic. One can always switch to the new apt.postgresql.org
> repository that has the latest versions, but how many people are going to not
> even notice the problem, trusting their normal upgrade path?

I guess this should be raised with the debian package maintainers?

merlin


pgsql-general by date:

Previous
From: "Daniel Verite"
Date:
Subject: Re: postgresql command line exploit found in the wild
Next
From: Ben Chobot
Date:
Subject: Re: Hosting PG on AWS in 2013