Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
Re: Brian May 2018-03-04 <[🔎] 87tvtva5r4.fsf@prune.linuxpenguins.xyz>
> Christoph Berg <myon@debian.org> writes:
>
> > + [jessie] - postgresql-9.1 <not-affected> (postgresql-9.1 in jessie is PL/Perl only)
>
> Hello,
>
> What did you mean by "jessie is PL/Perl only"?
Hi Brian,
jessie's postgresql-9.1 package is shipping a single binary package
only, postgresql-plperl-9.1. (Check the jessie release notes for the
rationale.) plperl is not affected by the changes as far as I can tell
by inspecting src/pl/plperl's git log.
> I am not sure I see the connection between CVE-2018-1058 (was
> incorrectly labeled as CVE-2018-1057) which is for issues concerning the
> search_path (as far as I can tell) and PL/Perl.
>
> Just trying to confirm if Wheezy is vulnerable or not. As Wheezy is
> using postgresql-9.1, and postgresql-9.1 is not vulnerable in Jessie, I
> am guessing wheezy is not vulnerable too.
9.1 is not vulnerable in Jessie because it's stripped down. All PG
versions are equally affected, the issue has been there since
schemas were introduced in 7.3.
Backpatching the changes will be hard; a colleague tried to apply the
pg_dump changes and gave up because hundreds of chunks failed. (The
rest might be easier though.)
I don't plan to work on a 9.1 LTS release; the changed were deemed
below the radar by the Debian Security team, and wheezy's EOL is just
around the corner.
Christoph
Reply to: