Hello Debian/Ubuntu security teams, PostgreSQL recently published new point releases which fix the usual range of important bugs (data loss/wrong results, etc.) and additionally fix another case of insecure "security definer" functions (the analogon to setuid programs in file system space for SQL functions) (CVE-2007-6600). It's an authenticated privilege escalation, and I personally rate it as low severity, since in usual setups database users/admins trust each other, or in other cases, "insecure" DB users like for web services aren't usually given permission to define new functions. So I wondered how you would like to handle that, as a normal update or security update? My gut feeling is that it should go through s-p-u (Debian), and -proposed (Ubuntu) and be copied to -updates after some time of testing. Complete list of changes, FYI: 7.4 (etch): http://www.postgresql.org/docs/current/static/release-7-4-26.html 8.1 (etch/dapper): http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-18 8.3 (lenny/hardy/intrepid/jaunty): http://www.postgresql.org/docs/8.3/static/release-8-3-8.html 8.3 and 8.4 in unstable/karmic already have been updated four days ago. No regression reports so far. I'll prepare the stable updates for all Debian/Ubuntu releases in the next days and throw my test suites at them. Thanks for any input, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Attachment:
signature.asc
Description: Digital signature