Re: Security question: are these vulnerabilities addressed?
On Sun, Jun 03, 2007 at 12:50:51AM -0400, Scott Gifford wrote: Douglas Allan Tutty [EMAIL PROTECTED] writes: On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote: Postgres completely fell apart, and it took many hours to piece things back together. Did you have a postgres dump just prior to the upgrade? In what way did it fall apart? What did you have to do to piece things back together; didn't restoring from the dump work? The data was OK, but it lost all the user accounts. It's been a few months now and my memory is a bit hazy, but IIRC, the format of the Postgres password file changed between versions. I thought that a pg_dumpall would dump all the users with their passwords so that when the dump was run by the new version, the file would be created correctly from the data in the dump. I thought that was the whole reason for doing a pg_dump rather than just backing up the postgres home directory with it stopped. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security question: are these vulnerabilities addressed?
Douglas Allan Tutty [EMAIL PROTECTED] writes: On Sun, Jun 03, 2007 at 12:50:51AM -0400, Scott Gifford wrote: Douglas Allan Tutty [EMAIL PROTECTED] writes: On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote: Postgres completely fell apart, and it took many hours to piece things back together. Did you have a postgres dump just prior to the upgrade? In what way did it fall apart? What did you have to do to piece things back together; didn't restoring from the dump work? The data was OK, but it lost all the user accounts. It's been a few months now and my memory is a bit hazy, but IIRC, the format of the Postgres password file changed between versions. I thought that a pg_dumpall would dump all the users with their passwords so that when the dump was run by the new version, the file would be created correctly from the data in the dump. I thought that was the whole reason for doing a pg_dump rather than just backing up the postgres home directory with it stopped. I believe it dumped the passwords, but didn't upgrade them properly when they were restored. I don't know exactly what happened, though, unfortunately; I was too busy fixing things to keep detailed notes. :-) Scott. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security question: are these vulnerabilities addressed?
On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote: Andrew Sackville-West [EMAIL PROTECTED] writes: On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote: Kamaraju S Kusumanchi [EMAIL PROTECTED] writes: Our upgrade from Woody to Sarge was so disastrous, I will need more time for this client to forget about it before I can propose another upgrade. :-) what were the woody - sarge issues? perhaps they've been addressed... Postgres completely fell apart, and it took many hours to piece things back together. Did you have a postgres dump just prior to the upgrade? In what way did it fall apart? What did you have to do to piece things back together; didn't restoring from the dump work? Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security question: are these vulnerabilities addressed?
Douglas Allan Tutty [EMAIL PROTECTED] writes: On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote: Andrew Sackville-West [EMAIL PROTECTED] writes: On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote: Kamaraju S Kusumanchi [EMAIL PROTECTED] writes: Our upgrade from Woody to Sarge was so disastrous, I will need more time for this client to forget about it before I can propose another upgrade. :-) what were the woody - sarge issues? perhaps they've been addressed... Postgres completely fell apart, and it took many hours to piece things back together. Did you have a postgres dump just prior to the upgrade? In what way did it fall apart? What did you have to do to piece things back together; didn't restoring from the dump work? The data was OK, but it lost all the user accounts. It's been a few months now and my memory is a bit hazy, but IIRC, the format of the Postgres password file changed between versions. When the upgrade failed (probably because of our unusual Postgres configuration), the password file had to be re-created by hand. Which all sounds pretty straightforward, except there weren't any clear messages to indicate this, and it took me quite a few hours to figure out the problem. The change in the file format wasn't documented clearly anywhere that I could find, which I found very frustrating. Eventually we found the problem, deleted the password file, and re-created the accounts by hand (fortunately nobody took our advice to reset their password), but our server was down for several hours. There were also a bunch of changes to PHP that wreaked havoc for us. We were running PHP through CGI (not embedded in the Web server), and Sarge changed how all that worked, and broke all of our existing configurations. If the server hadn't been down and I'd had a paper and pen, I would have kept better track of exactly what happened. :-) This is the only upgrade to Sarge I did that had significant problems, but I will admit the experience left me much less confident in the upgrade process. Scott. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security question: are these vulnerabilities addressed?
Andrew Sackville-West [EMAIL PROTECTED] writes: On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote: Kamaraju S Kusumanchi [EMAIL PROTECTED] writes: [...] BTW, is upgrade to Etch from Sarge not an option in your case? Our upgrade from Woody to Sarge was so disastrous, I will need more time for this client to forget about it before I can propose another upgrade. :-) what were the woody - sarge issues? perhaps they've been addressed... Postgres completely fell apart, and it took many hours to piece things back together. -Scott. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security question: are these vulnerabilities addressed?
On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote: Kamaraju S Kusumanchi [EMAIL PROTECTED] writes: Scott Gifford wrote: CVE-2006-0225OpenSSH Local SCP Shell Command Execution From /usr/share/doc/openssh-server/changelog.Debian.gz on Debian Etch machine running openessh-server 4.3p2-9, this was fixed in 1:4.3p2-1 Thanks, from the bug tracking database it looks like this wasn't addressed for Sarge (see bug 349645), which is unfortunate. No idea about other stuff. BTW, is upgrade to Etch from Sarge not an option in your case? Our upgrade from Woody to Sarge was so disastrous, I will need more time for this client to forget about it before I can propose another upgrade. :-) what were the woody - sarge issues? perhaps they've been addressed... A signature.asc Description: Digital signature
Re: Security question: are these vulnerabilities addressed?
Scott Gifford wrote: CVE-2006-0225OpenSSH Local SCP Shell Command Execution From /usr/share/doc/openssh-server/changelog.Debian.gz on Debian Etch machine running openessh-server 4.3p2-9, this was fixed in 1:4.3p2-1 No idea about other stuff. BTW, is upgrade to Etch from Sarge not an option in your case? Sarge is old and Etch is the new stable version. raju -- Kamaraju S Kusumanchi http://www.people.cornell.edu/pages/kk288/ http://malayamaarutham.blogspot.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security question: are these vulnerabilities addressed?
Kamaraju S Kusumanchi [EMAIL PROTECTED] writes: Scott Gifford wrote: CVE-2006-0225OpenSSH Local SCP Shell Command Execution From /usr/share/doc/openssh-server/changelog.Debian.gz on Debian Etch machine running openessh-server 4.3p2-9, this was fixed in 1:4.3p2-1 Thanks, from the bug tracking database it looks like this wasn't addressed for Sarge (see bug 349645), which is unfortunate. No idea about other stuff. BTW, is upgrade to Etch from Sarge not an option in your case? Our upgrade from Woody to Sarge was so disastrous, I will need more time for this client to forget about it before I can propose another upgrade. :-) Sarge is old and Etch is the new stable version. old is perhaps a bit strong of a word for a release that was state-of-the-art as of about 7 weeks ago, and is still supported for another 10 months... ---Scott. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]