On Sun, 13 Sep 2009, Martin Pitt wrote: > Hello Debian/Ubuntu security teams, > > PostgreSQL recently published new point releases which fix the usual > range of important bugs (data loss/wrong results, etc.) and > additionally fix another case of insecure "security definer" functions > (the analogon to setuid programs in file system space for SQL > functions) (CVE-2007-6600). It's an authenticated privilege > escalation, and I personally rate it as low severity, since in usual > setups database users/admins trust each other, or in other cases, > "insecure" DB users like for web services aren't usually given > permission to define new functions. > > So I wondered how you would like to handle that, as a normal update or > security update? > > My gut feeling is that it should go through s-p-u (Debian), and > -proposed (Ubuntu) and be copied to -updates after some time of > testing. > For Ubuntu, since it has a CVE attached to it, I'd like to see this go through the security queue. However, I trust your judgement on wanting more testing, so perhaps we can build it in the ubuntu-security-proposed ppa and then pocket copy to -proposed for wider testing. That way we can copy to -updates and -security with no problems (the ubuntu-security-proposed ppa builds with only release and -security). Jamie -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: Digital signature