Thread: PostgreSQL Security Release(s) for 7.2, 7.3 and 7.4
In order to address a recent security report from iDefence, we have
released 3 new "point" releases: 7.2.6, 7.3.8 and 7.4.6
Although rated only a Medium risk, according to their web site: "A
vulnerability exists due to the insecure creation of temporary files,
which could possibly let a malicious user overwrite arbitrary files."
Also in these releases is a potential 'data loss' bug that was recently
identified:
* Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not
access transaction status" failures, which qualifies it as a
potential-data-loss bug.
Although not yet available via Bittorrent, these releases are available
through ftp at all of the mirrors, and Devrim is currently working on RPMs
for the various releases, which should be available soon.
For a listing of all currently available FTP mirrors, please see:
http://www.postgresql.org/mirrors-ftp.html
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
Marc G. Fournier wrote: > In order to address a recent security report from iDefence, we have > released 3 new "point" releases: 7.2.6, 7.3.8 and 7.4.6 Assuming you're referring to the make_oidjoins_check bug, I don't think it is accurate to bill these as "security releases". As the 7.4.6 release notes plainly state: --- # Avoid using temp files in /tmp in make_oidjoins_check This has been reported as a security issue, though it's hardly worthy of concern since there is no reason for non-developers to use this script anyway. --- That said, the fix for the clog bug is reason enough to make the point releases, and reason enough for users to upgrade. -Neil
Neil Conway <neilc@samurai.com> writes:
> Marc G. Fournier wrote:
>> In order to address a recent security report from iDefence, we have
>> released 3 new "point" releases: 7.2.6, 7.3.8 and 7.4.6
> Assuming you're referring to the make_oidjoins_check bug,
He's not. There were two other recent security reports, which core kept
to ourselves until the release could be made. The other issues were
only marginally more serious than make_oidjoins_check, but worth fixing
now given that the hint-bit bug was forcing a release anyway.
regards, tom lane
On Mon, 2004-10-25 at 00:43, Tom Lane wrote: > He's not. There were two other recent security reports, which core kept > to ourselves until the release could be made. Ah, ok -- fair enough. Are those additional security fixes mentioned in the release notes? -Neil
Neil Conway <neilc@samurai.com> writes:
> On Mon, 2004-10-25 at 00:43, Tom Lane wrote:
>> He's not. There were two other recent security reports, which core kept
>> to ourselves until the release could be made.
> Ah, ok -- fair enough. Are those additional security fixes mentioned in
> the release notes?
Yes, or at least the one that affected PG proper (pg_ctl as root).
The other was a bug in the RPM init script.
I just realized that Devrim wasn't in the loop on that, so he'll
probably have to rebuild the PGDG RPMs :-(
regards, tom lane