openerp-community team mailing list archive

Thread
Date

Re: Major security patch for all versions of PostgreSQL

To: Ray Carnes <rcarnes@xxxxxxxxxxxxxxxxxxx>
From: Olivier Dony <odo@xxxxxxxxxxx>
Date: Thu, 16 May 2013 17:51:44 +0200
Cc: openerp-community@xxxxxxxxxxxxxxxxxxx
In-reply-to: <e7a8683b9bbea6d6e3cfd1d81662e714@mail.gmail.com>
Organization: OpenERP s.a.
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6

On 05/03/2013 10:07 PM, Ray Carnes wrote:

We are considering releasing a security update for OpenERP to prevent

exploiting the vulnerability even >>on unpatched PostgreSQL versions.

Has a decision been made about this yet?  Will OpenERP be releasing a
security update? Or is the recommended course of action to update
PostgreSQL ?

The recommended course of action is definitely to patch all PostgreSQLinstallations, irregardless of the availability of a patch for OpenERP.There are usually several ways to exploit this on any system, OpenERP is onlyone of them.

A proof of concept patch was written for OpenERP, but it turned out to beunsuitable for official LTS versions, as it breaks compatibility with someexisting database names (unusual ones, but still technically valid andworking). Note that the connection pooling system might also incur a smallperformance hit due to this extra check.

Proof of concept for 7.0:
https://code.launchpad.net/~openerp-dev/openobject-server/7.0-sanitize-db-connections/+merge/164190

References

Major security patch for all versions of PostgreSQL
From: Brendan Clune, 2013-04-04
Re: Major security patch for all versions of PostgreSQL
From: Marco Dieckhoff, 2013-04-04
Re: Major security patch for all versions of PostgreSQL
From: Olivier Dony, 2013-04-04
Re: Major security patch for all versions of PostgreSQL
From: Ray Carnes, 2013-05-03