Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
On Mon, Oct 11, 2010 at 14:43:50 +0200, Julien Cristau wrote: On Mon, Oct 11, 2010 at 12:15:45 +0100, Adam D. Barratt wrote: It's a side-effect of libpq5 |8.4.4-1 | unstable | hurd-i386 (and similar for all the other architecture-dependent packages) I filed 599804 to get the hurd debs out of the way. After some fun with dak and queued this was finally accepted (with ftpteam help), and should move to testing once all builds are there. Cheers, Julien signature.asc Description: Digital signature
Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
On Wed, Oct 6, 2010 at 12:39:47 +0200, Julien Cristau wrote: On Wed, Oct 6, 2010 at 09:40:51 +0200, Martin Pitt wrote: I uploaded 8.4.5-1 to unstable with urgency=medium (since this also fixes the usual metric ton of other bugs). Release team, can you please allow this into testing? Unblocked. So that's not working. I think it's because 8.4 in sid no longer has libpq5, so migrating it would remove that package and break its reverse deps. Cheers, Julien signature.asc Description: Digital signature
Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
Hello Julien, dropping -secur...@. Julien Cristau [2010-10-11 10:18 +0200]: So that's not working. I think it's because 8.4 in sid no longer has libpq5, so migrating it would remove that package and break its reverse deps. Sorry about that. As discussed on #debian-release, I uploaded an identical package (except for a lower version number) to t-p-u. This was built in a freshly created squeeze chroot, and upstream and p-common tests all pass. Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature
Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
Martin Pitt [2010-10-11 11:36 +0200]: Sorry about that. As discussed on #debian-release, I uploaded an identical package (except for a lower version number) to t-p-u. ... but that failed: Reject Reasons: postgresql-client_8.4.5-0squeeze1_all.deb: old version (8.4.4-1) in unstable = new version (8.4.5-0squeeze1) targeted at +testing-proposed-updates. postgresql-contrib_8.4.5-0squeeze1_all.deb: old version (8.4.4-1) in unstable = new version (8.4.5-0squeeze1) targeted at +testing-proposed-updates. postgresql-doc-8.4_8.4.5-0squeeze1_all.deb: old version (8.4.4-1) in unstable = new version (8.4.5-0squeeze1) targeted at +testing-proposed-updates. postgresql-doc_8.4.5-0squeeze1_all.deb: old version (8.4.4-1) in unstable = new version (8.4.5-0squeeze1) targeted at +testing-proposed-updates. postgresql_8.4.5-0squeeze1_all.deb: old version (8.4.4-1) in unstable = new version (8.4.5-0squeeze1) targeted at +testing-proposed-updates. postgresql-8.4_8.4.5-0squeeze1.dsc: old version (8.4.4-1) in unstable = new version (8.4.5-0squeeze1) targeted at +testing-proposed-updates. (those are all the arch:all binaries) I don't quite understand this message. First, it doesn't make much sense, since it relates unstable with testing, and second the current version of these packages in testing is 8.4.4-2, and in unstable it is 8.4.5-1, so I don't know where it takes the 8.4.4-1 from? Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature
Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
On Mon, October 11, 2010 12:06, Martin Pitt wrote: Martin Pitt [2010-10-11 11:36 +0200]: Sorry about that. As discussed on #debian-release, I uploaded an identical package (except for a lower version number) to t-p-u. ... but that failed: Reject Reasons: postgresql-client_8.4.5-0squeeze1_all.deb: old version (8.4.4-1) in unstable = new version (8.4.5-0squeeze1) targeted at +testing-proposed-updates. [...] (those are all the arch:all binaries) I don't quite understand this message. First, it doesn't make much sense, since it relates unstable with testing, Package versions in testing / t-p-u must not be higher than those in unstable; afaics from that point of view the message is entirely logical? and second the current version of these packages in testing is 8.4.4-2, and in unstable it is 8.4.5-1, so I don't know where it takes the 8.4.4-1 from? It's a side-effect of libpq5 |8.4.4-1 | unstable | hurd-i386 (and similar for all the other architecture-dependent packages) Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3f6920b4534a2e2c0c01868584f38f8b.squir...@adsl.funky-badger.org
Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
On Mon, Oct 11, 2010 at 12:15:45 +0100, Adam D. Barratt wrote: It's a side-effect of libpq5 |8.4.4-1 | unstable | hurd-i386 (and similar for all the other architecture-dependent packages) I filed 599804 to get the hurd debs out of the way. Cheers, Julien signature.asc Description: Digital signature
New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
Hello security and release teams, Yesterday, PostgreSQL released new security/bug fix microreleases. Please see http://www.postgresql.org/about/news.1244 for the details of the announcement. This fixes a privilege escalation through SECURITY DEFINER stored procedures, which is the SQL equivalent of suid root programs. I. e. this allows normal DB users to run arbitrary code as the postgres DB superuser, and therefore get unlimited access to the DB server (CVE-2010-3433). The DB admin explicitly needs to grant the right to run trusted PLs to the DB user (which is therefore already trusted up to some degree). However, this can become a major problem if there is a webserver app in front which allows injecting arbitrary SQL (which is a security problem by itself, of course, but still all too common). I uploaded 8.4.5-1 to unstable with urgency=medium (since this also fixes the usual metric ton of other bugs). Release team, can you please allow this into testing? I also uploaded 9.0.1-1 to unstable, but since 9.0 won't go into testing there is no further action here. I also prepared a lenny update at http://people.debian.org/~mpitt/psql/ It has a full debdiff, but there's a lot of noise in it, so I prepared a cleaner variant which is easier to read: $ filterdiff -x '*.gitignore' -x '*.cvsignore' -x '*/doc/*' -x '*.po' -x '*preproc.c' 8.3.11-0lenny1-8.3.12-0lenny1.debdiff|grep -v '^diff' 8.3.11-0lenny1-8.3.12-0lenny1-cleaned.debdiff http://people.debian.org/~mpitt/psql/8.3.11-0lenny1-8.3.12-0lenny1-cleaned.debdiff The changes in doc/ are mostly just the version bump and the new changelog (which is also present in the plain text HISTORY file). po files were re-merged and thus have a lot of reformatting noise. preproc.c is a huge yacc generated file, because the source preproc.y changed slightly, thus I only kept the .y file in the cleaned diff. This update passes the upstream test suite as well as my postgresql-common integration tests. Please let me know how to proceeed with the security update. Thank you! Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature
Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
On Wed, Oct 6, 2010 at 09:40:51 +0200, Martin Pitt wrote: I uploaded 8.4.5-1 to unstable with urgency=medium (since this also fixes the usual metric ton of other bugs). Release team, can you please allow this into testing? Unblocked. Cheers, Julien signature.asc Description: Digital signature
Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
* Martin Pitt: Please let me know how to proceeed with the security update. Please upload the lenny part to security-master. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r5g3nnef@mid.deneb.enyo.de
