[DLA-0019-1] postgresql-8.4 update

To: debian-lts-announce@lists.debian.org
Subject: [DLA-0019-1] postgresql-8.4 update
From: Christoph Berg <myon@debian.org>
Date: Tue, 29 Jul 2014 11:44:11 +0200
Message-id: <[🔎] 20140729094411.GA1101@msg.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Debian Security Advisory DLA-0019-1
https://wiki.debian.org/LTS
- ----------------------------------------------------------------------------
Package        : postgresql-8.4
Version        : 8.4.22-0+deb6u1
CVE ID         : CVE-2014-0067

New upstream minor release. Users should upgrade to this version at their next
scheduled maintenance window.

Noteworthy change:

 Secure Unix-domain sockets of temporary postmasters started during make
 check (Noah Misch)

 Any local user able to access the socket file could connect as the server's
 bootstrap superuser, then proceed to execute arbitrary code as the
 operating-system user running the test, as we previously noted in
 CVE-2014-0067. This change defends against that risk by placing the server's
 socket in a temporary, mode 0700 subdirectory of /tmp.

8.4.22 marks the end of life of the PostgreSQL 8.4 branch. No further
releases will be made by the PostgreSQL Global Development Group.

Users of PostgreSQL 8.4 should look into upgrading to a newer PostgreSQL
release. Options are:

* Upgrading to Debian 7 (Wheezy), providing postgresql-9.1.

* The use of the apt.postgresql.org repository, providing packages for all
  active PostgreSQL branches (9.0 up to 9.4 at the time of writing).

  See https://wiki.postgresql.org/wiki/Apt for more information about the
  repository.

  A helper script to activate the repository is provided in
  /usr/share/doc/postgresql-8.4/examples/apt.postgresql.org.sh.

* An LTS version of 8.4 is in planning that will cover the lifetime of
  squeeze-lts. Updates will probably made on a best-effort basis. Users can
  take advantage of this, but should still consider upgrading to newer
  PostgreSQL versions over the next months.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJT12zrAAoJEExaa6sS0qeueVAP/3OTQBoLE3dp+nakdtBA+Wzj
+oIzoXpyDWJ0ZhSrMgJoxw7CmNuYkiKIgAHKk1MmPqo2NPhxDOaFPX5XjpXVT5g9
s0McnS+T6oFoCCVYAH0xx7A96UyfffsQ5Bom2AUTpt3ygoewonUb0OF0wlklxKyf
X9aEmNGa9a/tPG3tiEIHpswYFjYwKUDX6AyPPkLRaqngwy0CkVedh42iOp8s9fXg
4capn0HWPtL5BydG9lowEmWUyycUKNxJltSDu065tB21ZU+ikR8NrAsaKugJ4zr5
ucjvCRQRhS7ybxF40x7XAYFsCj/n1OS2eNuU83dfBQXyAUGkfq1CtkwoCoSQV8On
dm3Qpo8vxNkKycnvH016lLVAc15syMlGfe8NkXCUA5WRZ7bWC2hqhzgEqPd19dWA
1GZKeTlXKo3ptDbdFmtxph0YBvfT9b5sWLsGZDOr60mBUCQaqhPRIBfa1FjjGqrP
5+5JTfpFJ1dxsFXD/YGk9RW0GshsPbqkS78wCKcCZ6dIiem57IPOf91dg6rdelYA
J1VHNUsLhz9/6SGdh9b2mKG7C+X6iONwUE2zyT7014Ql+DVyxeeER+ScEitro+Qv
3lnrszVXt4AH8zQrJonu8PT4myk1cf4V6OqfYTuZBZRBQzom5b06HZe6OJjLS5cy
BrNeYXw01yMVshZ6snfk
=MtvN
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [DLA-0021-1] fail2ban security update
Next by Date: [DLA-0022-1] cups security update
Previous by thread: [DLA-0021-1] fail2ban security update
Next by thread: [DLA-0022-1] cups security update
Index(es):
- Date
- Thread