Re: [HACKERS] why was libpq.so's version number bumped?
Neil Conway [EMAIL PROTECTED] writes: Christopher Kings-Lynne said: There have been HEAPS of security fixes between 7.2 and 7.3. That's only the case if your definition of a security fix is pretty fast and loose -- as yours seems to be. Hmm? On 7.2, an unpriviliged database user can read the more or less the whole memory image of the server process. On 7.3, this has been fixed. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [HACKERS] why was libpq.so's version number bumped?
Palle Girgensohn [EMAIL PROTECTED] writes: One of the reasons I ask is, if it is a good reason, like say security, maybe I can persuade the FreeBSD port responsible guys to bring the port into the upcoming FreeBSD 5.0 release. 7.3 is not completely compatible with 7.2 at the SQL level, and quite a few things break. I wouldn't force users to switch right now. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] why was libpq.so's version number bumped?
Florian Weimer wrote: Neil Conway [EMAIL PROTECTED] writes: Christopher Kings-Lynne said: There have been HEAPS of security fixes between 7.2 and 7.3. That's only the case if your definition of a security fix is pretty fast and loose -- as yours seems to be. Hmm? On 7.2, an unpriviliged database user can read the more or less the whole memory image of the server process. On 7.3, this has been fixed. Huh. Never heard that before. -- Bruce Momjian| http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] why was libpq.so's version number bumped?
Bruce Momjian [EMAIL PROTECTED] writes: Hmm? On 7.2, an unpriviliged database user can read the more or less the whole memory image of the server process. On 7.3, this has been fixed. Huh. Never heard that before. It's the cash_out(2) crash, but with some other conversion function: rusfw= SELECT byteain(134512640); byteain - \177ELF\001\001\001 (1 row) rusfw= (Of course, the address varies from machine to machine.) -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
Re: [HACKERS] why was libpq.so's version number bumped?
Between 7.2 and 7.3 there was an API change to the pgnotify(?) struct or something. When 7.3 was released, we forgot to bump the version number, so we're doing it now. It was something of an oversight, but it really needed to be done. There have been HEAPS of security fixes between 7.2 and 7.3. Depending on your definition of security. eg. Going 'select cash_out(2);' on any 7.2 server and below will crash the backend. It will not do that in 7.3. Most of the buffer problems were fixed in 7.2.3. Since going from 7.2 to 7.3 is a significant upgrade, the FreeBSD guys would probablyu be right tho to refuse such a major upgrade... Still, it's a pity though. Postgres 7.3 has been tested and works fine on FreeBSD 5. The databases/postgresql7 port has been updated and 7.3.1 should appear in the 5.0 release. ;) Not all postgresql ports have been updated though since some of the PRs are assigned to another committer. :-/ Let me know if there are any requests from BSD DBAs that'd like to see a port that they highly depend on updated. ps. Why is Postgres 7.3 still in ports/databases/postgresql-devel ?? Actually, maybe it was a good thing since if 7.3.1 becomes the new standard port people won't be bitten so much by the library version bump. The -devel port has been out for a few months, those that are serious DBAs likely have a staging/test environment to work with. If anyone runs across any serious problems on FreeBSD, let me know ASAP. -sc -- Sean Chittenden ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org
Re: [HACKERS] why was libpq.so's version number bumped?
On Mon, 30 Dec 2002, Palle Girgensohn wrote: One of the reasons I ask is, if it is a good reason, like say security, maybe I can persuade the FreeBSD port responsible guys to bring the port into the upcoming FreeBSD 5.0 release. The port freeze was introduced just before pg-7.3 was released, so nothing new will be admitted unless it is a security fix, more or less, which means FreeBSD 5.0 will probably ship with 7.2.3, which would be a disappointment... If anything, the ports tree on the CD will contain a reference to 7.2.3. PostgreSQL itself is not shipped. The ports tree can be cvsup'd to the latest, when the cvs repository is updated. At present there is a ports freeze. This is the normal situation just prior to a major release. ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org
Re: [HACKERS] why was libpq.so's version number bumped?
On Mon, 30 Dec 2002, Christopher Kings-Lynne wrote: Since going from 7.2 to 7.3 is a significant upgrade, the FreeBSD guys would probablyu be right tho to refuse such a major upgrade... Still, it's a pity though. Postgres 7.3 has been tested and works fine on FreeBSD 5. FreeBSD uses something called a ports tree. This is quite separate from the source tree, which is used to create FreeBSD 5. The issue is not whether or not 7.3 has been tested and works. When you have nearly 8000 ports, it makes sense to freeze them just prior to a release. Code freezes are standard practice. I which more projects used them. ps. Why is Postgres 7.3 still in ports/databases/postgresql-devel ?? Actually, maybe it was a good thing since if 7.3.1 becomes the new standard port people won't be bitten so much by the library version bump. My guess: because of the port freeze now in effect. ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] why was libpq.so's version number bumped?
On Mon, 30 Dec 2002, Christopher Kings-Lynne wrote: ps. Why is Postgres 7.3 still in ports/databases/postgresql-devel ?? I forgot one other possible answer: perhaps the port maintainer is taking a well deserved holiday? ---(end of broadcast)--- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html
Re: [HACKERS] why was libpq.so's version number bumped?
--On måndag, december 30, 2002 06.35.22 -0500 Dan Langille [EMAIL PROTECTED] wrote: On Mon, 30 Dec 2002, Christopher Kings-Lynne wrote: ps. Why is Postgres 7.3 still in ports/databases/postgresql-devel ?? I forgot one other possible answer: perhaps the port maintainer is taking a well deserved holiday? :) Well, not really, it is because of the port freeze. I don't maintain the -devel port, Sean Chittenden does. It seems logical that he maintains it, since he has commit rights to the ports tree. It was used during postgresql's beta phase, and it will be removed after the port freeze, only to resurrect at the next beta phase. This is the plan, anyway. :) I now know the reason for bumping the so version number. Thanks! Since going from 7.2 to 7.3 is a significant upgrade, the FreeBSD guys would probablyu be right tho to refuse such a major upgrade... Still, it's a pity though. Postgres 7.3 has been tested and works fine on FreeBSD 5. True, perhaps, but if the old version has security flaws... Also, since 5.0 is a new major version for FreeBSD, most binaries need relinking to fully utilize the new system - wouldn't it be clever to have the new postgres libpq relinked at the same time as well...? --On måndag, december 30, 2002 06.24.38 -0500 Dan Langille [EMAIL PROTECTED] wrote: If anything, the ports tree on the CD will contain a reference to 7.2.3. PostgreSQL itself is not shipped. The ports tree can be cvsup'd to the latest, when the cvs repository is updated. At present there is a ports freeze. This is the normal situation just prior to a major release. Well, on the DVD or four-disk-set, there will be a package of 7.2.3, so in a way, postgreSQL is actually shipped... Well, we'll see. 7.3 has been in gnats for some time now. I'll send in the new 7.3.1 and send a few emails lobbying for it, and let the guys responsible decide if it a pre- or post-5.0 port... Cheers, Palle ---(end of broadcast)--- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html
Re: [HACKERS] why was libpq.so's version number bumped?
On Mon, 30 Dec 2002, Palle Girgensohn wrote: --On måndag, december 30, 2002 06.35.22 -0500 Dan Langille [EMAIL PROTECTED] wrote: On Mon, 30 Dec 2002, Christopher Kings-Lynne wrote: ps. Why is Postgres 7.3 still in ports/databases/postgresql-devel ?? I forgot one other possible answer: perhaps the port maintainer is taking a well deserved holiday? :) Well, not really, it is because of the port freeze. I don't maintain the -devel port, Sean Chittenden does. It seems logical that he maintains it, since he has commit rights to the ports tree. It was used during postgresql's beta phase, and it will be removed after the port freeze, only to resurrect at the next beta phase. This is the plan, anyway. :) I liked and used the -devel port. I think the concept should be retained. Since going from 7.2 to 7.3 is a significant upgrade, the FreeBSD guys would probablyu be right tho to refuse such a major upgrade... Still, it's a pity though. Postgres 7.3 has been tested and works fine on FreeBSD 5. True, perhaps, but if the old version has security flaws... Also, since 5.0 is a new major version for FreeBSD, most binaries need relinking to fully utilize the new system - wouldn't it be clever to have the new postgres libpq relinked at the same time as well...? What about the other 8000 or so ports? Should we halt FreeBSD development so they all have the latest version as well? I think not. At some point, a line must be drawn. --On måndag, december 30, 2002 06.24.38 -0500 Dan Langille [EMAIL PROTECTED] wrote: If anything, the ports tree on the CD will contain a reference to 7.2.3. PostgreSQL itself is not shipped. The ports tree can be cvsup'd to the latest, when the cvs repository is updated. At present there is a ports freeze. This is the normal situation just prior to a major release. Well, on the DVD or four-disk-set, there will be a package of 7.2.3, so in a way, postgreSQL is actually shipped... Given that there are almost 8000 ports, it is simply not practical to hold everything up while we get the latest of everything. Exceptions are allowed, but again, I don't have a problem with it. Well, we'll see. 7.3 has been in gnats for some time now. I'll send in the new 7.3.1 and send a few emails lobbying for it, and let the guys responsible decide if it a pre- or post-5.0 port... I don't see it as a big deal. It's just a ports tree entry going out with 5. That entry can be cvsup'd and updated to the latest and greatest. ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org
Re: [HACKERS] why was libpq.so's version number bumped?
Christopher Kings-Lynne said: There have been HEAPS of security fixes between 7.2 and 7.3. That's only the case if your definition of a security fix is pretty fast and loose -- as yours seems to be. Depending on your definition of security. eg. Going 'select cash_out(2);' on any 7.2 server and below will crash the backend. If you consider that a security flaw, there are still innumerable problems of a very similar nature in 7.3 or 7.4-devel (*any* situation in which an untrusted client can execute arbitrary SQL will allow for resource exhaustion, at the very least). By a more reasonable definition of security flaw, I'm not aware of any significant outstanding problems in 7.2.3 -- there are a bunch of buffer handling fixes in 7.3, but they were made for the sake of correctness (a.k.a. paranoia), not necessarily to fix an actual vulnerability. Cheers, Neil ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
[HACKERS] why was libpq.so's version number bumped?
Hi! subject says it all, I guess. There is hardly no difference between 7.3 libpq and 7.3.1 libpq. Why the version shift? Isn't the only thing rectifying a version shift that there is a change in the API. Maybe there is a change, but I cannot find it. One of the reasons I ask is, if it is a good reason, like say security, maybe I can persuade the FreeBSD port responsible guys to bring the port into the upcoming FreeBSD 5.0 release. The port freeze was introduced just before pg-7.3 was released, so nothing new will be admitted unless it is a security fix, more or less, which means FreeBSD 5.0 will probably ship with 7.2.3, which would be a disappointment... Cheers, Palle ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org
Re: [HACKERS] why was libpq.so's version number bumped?
Hi Palle, Between 7.2 and 7.3 there was an API change to the pgnotify(?) struct or something. When 7.3 was released, we forgot to bump the version number, so we're doing it now. It was something of an oversight, but it really needed to be done. There have been HEAPS of security fixes between 7.2 and 7.3. Depending on your definition of security. eg. Going 'select cash_out(2);' on any 7.2 server and below will crash the backend. It will not do that in 7.3. Most of the buffer problems were fixed in 7.2.3. Since going from 7.2 to 7.3 is a significant upgrade, the FreeBSD guys would probablyu be right tho to refuse such a major upgrade... Still, it's a pity though. Postgres 7.3 has been tested and works fine on FreeBSD 5. Cheers, Chris ps. Why is Postgres 7.3 still in ports/databases/postgresql-devel ?? Actually, maybe it was a good thing since if 7.3.1 becomes the new standard port people won't be bitten so much by the library version bump. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Palle Girgensohn Sent: Monday, 30 December 2002 11:41 AM To: [EMAIL PROTECTED] Subject: [HACKERS] why was libpq.so's version number bumped? Hi! subject says it all, I guess. There is hardly no difference between 7.3 libpq and 7.3.1 libpq. Why the version shift? Isn't the only thing rectifying a version shift that there is a change in the API. Maybe there is a change, but I cannot find it. One of the reasons I ask is, if it is a good reason, like say security, maybe I can persuade the FreeBSD port responsible guys to bring the port into the upcoming FreeBSD 5.0 release. The port freeze was introduced just before pg-7.3 was released, so nothing new will be admitted unless it is a security fix, more or less, which means FreeBSD 5.0 will probably ship with 7.2.3, which would be a disappointment... Cheers, Palle ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send unregister YourEmailAddressHere to [EMAIL PROTECTED])
