-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Debian Security Advisory DLA-0019-1 https://wiki.debian.org/LTS - ---------------------------------------------------------------------------- Package : postgresql-8.4 Version : 8.4.22-0+deb6u1 CVE ID : CVE-2014-0067
New upstream minor release. Users should upgrade to this version at their next scheduled maintenance window. Noteworthy change: Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. 8.4.22 marks the end of life of the PostgreSQL 8.4 branch. No further releases will be made by the PostgreSQL Global Development Group. Users of PostgreSQL 8.4 should look into upgrading to a newer PostgreSQL release. Options are: * Upgrading to Debian 7 (Wheezy), providing postgresql-9.1. * The use of the apt.postgresql.org repository, providing packages for all active PostgreSQL branches (9.0 up to 9.4 at the time of writing). See https://wiki.postgresql.org/wiki/Apt for more information about the repository. A helper script to activate the repository is provided in /usr/share/doc/postgresql-8.4/examples/apt.postgresql.org.sh. * An LTS version of 8.4 is in planning that will cover the lifetime of squeeze-lts. Updates will probably made on a best-effort basis. Users can take advantage of this, but should still consider upgrading to newer PostgreSQL versions over the next months. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJT12zrAAoJEExaa6sS0qeueVAP/3OTQBoLE3dp+nakdtBA+Wzj +oIzoXpyDWJ0ZhSrMgJoxw7CmNuYkiKIgAHKk1MmPqo2NPhxDOaFPX5XjpXVT5g9 s0McnS+T6oFoCCVYAH0xx7A96UyfffsQ5Bom2AUTpt3ygoewonUb0OF0wlklxKyf X9aEmNGa9a/tPG3tiEIHpswYFjYwKUDX6AyPPkLRaqngwy0CkVedh42iOp8s9fXg 4capn0HWPtL5BydG9lowEmWUyycUKNxJltSDu065tB21ZU+ikR8NrAsaKugJ4zr5 ucjvCRQRhS7ybxF40x7XAYFsCj/n1OS2eNuU83dfBQXyAUGkfq1CtkwoCoSQV8On dm3Qpo8vxNkKycnvH016lLVAc15syMlGfe8NkXCUA5WRZ7bWC2hqhzgEqPd19dWA 1GZKeTlXKo3ptDbdFmtxph0YBvfT9b5sWLsGZDOr60mBUCQaqhPRIBfa1FjjGqrP 5+5JTfpFJ1dxsFXD/YGk9RW0GshsPbqkS78wCKcCZ6dIiem57IPOf91dg6rdelYA J1VHNUsLhz9/6SGdh9b2mKG7C+X6iONwUE2zyT7014Ql+DVyxeeER+ScEitro+Qv 3lnrszVXt4AH8zQrJonu8PT4myk1cf4V6OqfYTuZBZRBQzom5b06HZe6OJjLS5cy BrNeYXw01yMVshZ6snfk =MtvN -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-lts-announce-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140729094411.ga1...@msg.df7cb.de