Thread: postgresql command line exploit found in the wild

postgresql command line exploit found in the wild

From

Merlin Moncure

Date:

08 April 2013, 18:07:27

see: http://schemaverse.tumblr.com/post/47312545952/the-schemaverse-was-hacked

if you have an internet facing database, patch it immediately!
(personally, I would only do this through a service such as pgbouncer
runnning under extremely limited account).  do not delay!

merlin

Re: postgresql command line exploit found in the wild

From

"Daniel Verite"

Date:

08 April 2013, 18:48:19

    Merlin Moncure wrote:

> if you have an internet facing database, patch it immediately!

By the way:

People running 9.1 on debian stable (squeeze) typically use this package:
http://packages.debian.org/squeeze-backports/postgresql-9.1

Currently, it looks like the fix is only available in pre-compiled form for
the amd64 architecture (see the bottom of the page). All other archs
including the popular i386 are stuck at version: 9.1.7-1~bpo60+1

I find it problematic. One can always switch to the new apt.postgresql.org
repository that has the latest versions, but how many people are going to not
even notice the problem, trusting their normal upgrade path?

Best regards,
--
Daniel
PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org

Re: postgresql command line exploit found in the wild

From

Merlin Moncure

Date:

08 April 2013, 18:54:41

On Mon, Apr 8, 2013 at 10:48 AM, Daniel Verite <daniel@manitou-mail.org> wrote:
>         Merlin Moncure wrote:
>
>> if you have an internet facing database, patch it immediately!
>
> By the way:
>
> People running 9.1 on debian stable (squeeze) typically use this package:
> http://packages.debian.org/squeeze-backports/postgresql-9.1
>
> Currently, it looks like the fix is only available in pre-compiled form for
> the amd64 architecture (see the bottom of the page). All other archs
> including the popular i386 are stuck at version: 9.1.7-1~bpo60+1
>
> I find it problematic. One can always switch to the new apt.postgresql.org
> repository that has the latest versions, but how many people are going to not
> even notice the problem, trusting their normal upgrade path?

I guess this should be raised with the debian package maintainers?

merlin

Re: postgresql command line exploit found in the wild

From

Christoph Berg

Date:

09 April 2013, 15:44:17

Re: Daniel Verite 2013-04-08 <cd81d201-e9fa-4567-ac49-e3e762935747@mm>
>     Merlin Moncure wrote:
>
> > if you have an internet facing database, patch it immediately!
>
> By the way:
>
> People running 9.1 on debian stable (squeeze) typically use this package:
> http://packages.debian.org/squeeze-backports/postgresql-9.1
>
> Currently, it looks like the fix is only available in pre-compiled form for
> the amd64 architecture (see the bottom of the page). All other archs
> including the popular i386 are stuck at version: 9.1.7-1~bpo60+1

This is just packages.debian.org lagging behind. The packages were
available on Thursday. (Excluding i386/armel.) Look at the timestamps
on http://backports.debian.org/debian-backports/pool/main/p/postgresql-9.1/ .

> I find it problematic. One can always switch to the new apt.postgresql.org
> repository that has the latest versions, but how many people are going to not
> even notice the problem, trusting their normal upgrade path?

I'm poking the backports people to throw more resources on building
packages there.

Christoph
--
cb@df7cb.de | http://www.df7cb.de/