Unfortunately, that seems to be the case. PostgreSQL has their own apt repository (see: http://www.postgresql.org/download/linux/ubuntu/), which may be worth using if your server is particularly vulnerable (i.e. your postgres instance responds to traffic on a public port). I expect to see vendor binaries out soon, but the vulnerability does seem to be pretty severe; in an instance where my postgres instance was web-facing, I don't think I'd risk waiting. At the very least, if you accept postgres traffic on a public port, consider whitelisting it aggressively while you wait for a patch to be released by your distribution.
On Thu, Apr 4, 2013 at 10:53 AM, Marco Dieckhoff < marco.dieckh...@googlemail.com> wrote: > Am 04.04.2013 16:40, schrieb Brendan Clune: > > Something which affects us all... > > http://www.postgresql.org/about/news/1456/ > > From the article: > > "The PostgreSQL Global Development Group has released a security update > to all current versions of the PostgreSQL database system, including > versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a > high-exposure security vulnerability in versions 9.0 and later. All users > of the affected versions are strongly urged to apply the update immediately. > > "A major security issue fixed in this release, CVE-2013-1899, makes it > possible for a connection request containing a database name that begins > with "-" to be crafted that can damage or destroy files within a server's > data directory. Anyone with access to the port the PostgreSQL server > listens on can initiate this request. This issue was discovered by > Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center." > > The PostgreSQL developers have been working with various Linux > distributions before disclosing the vulnerability, so updated packages > should be available shortly if they are not already in your distribution's > repository. Consider upgrading immediately, *especially* if your OpenERP > database is hosted remotely. > > > Sadly, it looks like neither Ubuntu 12.04 (Server, LTS) nor Debian > Wheezy/Sid has a version newer than the ones mentioned above... Or my > mirrors don't have them yet. > > Best regards, > Marco > > > _______________________________________________ > Mailing list: https://launchpad.net/~openerp-community > Post to : openerp-community@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openerp-community > More help : https://help.launchpad.net/ListHelp > > -- Brendan Clune Information Technology Logic Supply, Inc. Direct: 802 861 7459 | Main: 802 861 2300 www.logicsupply.com | www.lgxsystems.com
_______________________________________________ Mailing list: https://launchpad.net/~openerp-community Post to : openerp-community@lists.launchpad.net Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
