← Back to team overview

openerp-community team mailing list archive

  1. openerp-community team
  2. Mailing list archive
  3. Message #02657

Re: Major security patch for all versions of PostgreSQL

  Thread PreviousDate PreviousThread Next 
>>We are considering releasing a security update for OpenERP to prevent
exploiting the vulnerability even >>on unpatched PostgreSQL versions.

Has a decision been made about this yet?  Will OpenERP be releasing a
security update? Or is the recommended course of action to update
PostgreSQL ?

Ray.

-----Original Message-----
From:
openerp-community-bounces+rcarnes=ursainfosystems.com@xxxxxxxxxxxxxxxxxxx
[mailto:openerp-community-bounces+rcarnes=ursainfosystems.com@lists.launch
pad.net] On Behalf Of Olivier Dony
Sent: Thursday, April 04, 2013 8:32 AM
To: Marco Dieckhoff
Cc: openerp-community@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openerp-community] Major security patch for all versions of
PostgreSQL

On 04/04/2013 04:53 PM, Marco Dieckhoff wrote:
> Am 04.04.2013 16:40, schrieb Brendan Clune:
>> Something which affects us all...
>>
>> http://www.postgresql.org/about/news/1456/
>>
>
> Sadly, it looks like neither Ubuntu 12.04 (Server, LTS) nor Debian
> Wheezy/Sid has a version newer than the ones mentioned above... Or my
> mirrors don't have them yet.


The Ubuntu repositories have now been updated so PostgreSQL 9.1.9 is
available for all users of Ubuntu 11.10, 12.04 and 12.10:
	http://www.ubuntu.com/usn/usn-1789-1/
The serious vulnerability only affect PostgreSQL 9.X. Users of Postgres
8.X are safe from that specific Denial Of Service attack.

Updating your Ubuntu server is as simple as:
	sudo apt-get update
	sudo apt-get dist-upgrade

Debian repositories do not have PostgreSQL 9.1.9, but are expected to be
updated soon.

This vulnerability is very serious and can be exploited trivially via
OpenERP even if your database server is not listening on a public
interface (and even if you use --db-filter)! Attackers can use it to
remotely crash your databases in a way that will require a manual fix or a
restore from backup.

We are considering releasing a security update for OpenERP to prevent
exploiting the vulnerability even on unpatched PostgreSQL versions.

Note: It is usually necessary to restart your OpenERP servers after
upgrading PostgreSQL, except if you are using a version of OpenERP 7.0
dated after February 19, 2013 (see http://pad.lv/905257 for more info)

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp

Follow ups

References

  Thread PreviousDate PreviousThread Next