openerp-community team mailing list archive

Thread
Date

Re: Major security patch for all versions of PostgreSQL

To: Marco Dieckhoff <marco.dieckhoff@xxxxxxxxxxxxxx>
From: Brendan Clune <brendan.clune@xxxxxxxxxxxxxxx>
Date: Thu, 4 Apr 2013 11:08:20 -0400
Cc: openerp-community@xxxxxxxxxxxxxxxxxxx
In-reply-to: <515D9402.4000106@googlemail.com>

Unfortunately, that seems to be the case. PostgreSQL has their own apt
repository (see: http://www.postgresql.org/download/linux/ubuntu/), which
may be worth using if your server is particularly vulnerable (i.e. your
postgres instance responds to traffic on a public port). I expect to see
vendor binaries out soon, but the vulnerability does seem to be pretty
severe; in an instance where my postgres instance was web-facing, I don't
think I'd risk waiting. At the very least, if you accept postgres traffic
on a public port, consider whitelisting it aggressively while you wait for
a patch to be released by your distribution.


On Thu, Apr 4, 2013 at 10:53 AM, Marco Dieckhoff <
marco.dieckhoff@xxxxxxxxxxxxxx> wrote:

>  Am 04.04.2013 16:40, schrieb Brendan Clune:
>
> Something which affects us all...
>
>  http://www.postgresql.org/about/news/1456/
>
>  From the article:
>
>  "The PostgreSQL Global Development Group has released a security update
> to all current versions of the PostgreSQL database system, including
> versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a
> high-exposure security vulnerability in versions 9.0 and later. All users
> of the affected versions are strongly urged to apply the update immediately.
>
>  "A major security issue fixed in this release, CVE-2013-1899, makes it
> possible for a connection request containing a database name that begins
> with "-" to be crafted that can damage or destroy files within a server's
> data directory. Anyone with access to the port the PostgreSQL server
> listens on can initiate this request. This issue was discovered by
> Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center."
>
>  The PostgreSQL developers have been working with various Linux
> distributions before disclosing the vulnerability, so updated packages
> should be available shortly if they are not already in your distribution's
> repository. Consider upgrading immediately, *especially* if your OpenERP
> database is hosted remotely.
>
>
> Sadly, it looks like neither Ubuntu 12.04 (Server, LTS) nor Debian
> Wheezy/Sid has a version newer than the ones mentioned above... Or my
> mirrors don't have them yet.
>
> Best regards,
> Marco
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openerp-community
> Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openerp-community
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Brendan Clune
Information Technology
Logic Supply, Inc.
Direct: 802 861 7459 | Main: 802 861 2300
www.logicsupply.com | www.lgxsystems.com

References

Major security patch for all versions of PostgreSQL
From: Brendan Clune, 2013-04-04
Re: Major security patch for all versions of PostgreSQL
From: Marco Dieckhoff, 2013-04-04