Bugzilla – Bug 62619
VUL-0: PostgreSQL Security Release(s) for 7.2, 7.3 and 7.4
Last modified: 2021-10-14 14:57:35 UTC
--- snip (http://www.postgresql.org/news/234.html) Posted on 2004-10-23 Posted by press at PostgreSQL.org In order to address a recent security report from iDefence, we have released 3 new "point" releases: 7.2.6, 7.3.8 and 7.4.6 Although rated only a Medium risk, according to their web site: "A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files." Also in these releases is a potential 'data loss' bug that was recently identified: * Repair possible failure to update hint bits on disk Under rare circumstances this oversight could lead to "could not access transaction status" failures, which qualifies it as a potential-data-loss bug. --- snap --- Affected versions: SLES8 ships with PostgreSQL 7.2.2 and would be updated to 7.2.6 SLES9 ships with PostgreSQL 7.4.2 and would be updated to 7.4.6 Also, all box products which are still getting YOU updates are affected and should be updated.
*** Bug 62772 has been marked as a duplicate of this bug. ***
Awaiting aproval by PM.
Ralf? Andreas?
hello ralf, please state whether we Reinhard upgrade or not.
What are all the other changes between 7.2.2 and 7.2.6 (7.4.2 and 7.4.6). If you want to avoid answering this question the please just backport the one security fix.
There have been other security and major bug fixes. The PostgrSQL-Team does a very good job in only patching things that need patching in their patch releases and making sure that the latest patch release is a drop-in replacement for it's successors with the same mior release number. I completely trust them when they advise all users of the respective minor versions to upgrade to the latest patch releases. So IMHO there are two ways to proceed with this bug, either update to the latest patch release or CLOSE WONTFIX.
The only security fix in 7.2.5 - 7.2.6 is in "make_oidjoins_check", a contrib script and it is minor temprace fix. In 7.2.4 -> 7.2.5 is one that looks more problematic, but I cannot evaluate easily how problematic without reviewing lots of postgresql source. The whole patch looks clean to me too.
Ok, then let's apply this one. :)
Which one? And as kukuk just correctly stated this is a security update, so it does not go the SP1 path and thus does not need my approval. I am fine with the version update.
Up to now I have only a 9.1 postgresql package and a SLES9 patchinfo file. I also need packages for 8.1, 8.2, 9.0, 9.2. And a patchinfo for the box products.
CAN-2004-0977
swamp id: 85
havent we released those already? puzzling
uh... did we? :(
we did... can it be closed?
that explains the low swamp id :)
I had to re-submit the patchinfo files for the box products today, so at least the updates for the boxed products are not released yet. And I also got a question on the SLES patchinfo files today, so they also still seem to be in the process.
??????? i released postgresql 8.1 - 9.2 updates on Jan 5th fixing bug 62619 ... so haeh?
Created attachment 27511 [details] patchinfo-sles8_ul.psql
Created attachment 27512 [details] patchinfo.psql
Created attachment 27513 [details] patchinfo-box.psql
Stop that! I have submitted patchinfo files for this already. Marcus, are you the last person to touch security updates before they hit the FTP server?
whoever approves updates does. for the security team either the incident manager or the responsible person. since the resubmitted patchinfo files just fix a packageinfo flaw, whoever fixed it (rudi or harald or someone) can do this too. The new patchinfos are unrelated to this bug which I really guess has been fixed with the update we did?
updates released on jan 5th, just forgot to close this report. cleared patchinfo technical issues with reinhard and hmuelle.