Thread Previous • Date Previous • Date Next • Thread Next |
On 05/03/2013 10:07 PM, Ray Carnes wrote:
We are considering releasing a security update for OpenERP to preventexploiting the vulnerability even >>on unpatched PostgreSQL versions. Has a decision been made about this yet? Will OpenERP be releasing a security update? Or is the recommended course of action to update PostgreSQL ?
The recommended course of action is definitely to patch all PostgreSQL installations, irregardless of the availability of a patch for OpenERP. There are usually several ways to exploit this on any system, OpenERP is only one of them.
A proof of concept patch was written for OpenERP, but it turned out to be unsuitable for official LTS versions, as it breaks compatibility with some existing database names (unusual ones, but still technically valid and working). Note that the connection pooling system might also incur a small performance hit due to this extra check.
Proof of concept for 7.0: https://code.launchpad.net/~openerp-dev/openobject-server/7.0-sanitize-db-connections/+merge/164190
Thread Previous • Date Previous • Date Next • Thread Next |