New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]

To: security@debian.org, debian-release@lists.debian.org
Subject: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
From: Martin Pitt <mpitt@debian.org>
Date: Wed, 6 Oct 2010 09:40:51 +0200
Message-id: <[🔎] 20101006074051.GA2585@piware.de>

Hello security and release teams,

Yesterday, PostgreSQL released new security/bug fix microreleases. Please
see http://www.postgresql.org/about/news.1244 for the details of the
announcement. This fixes a privilege escalation through "SECURITY
DEFINER" stored procedures, which is the SQL equivalent of suid root
programs. I. e. this allows normal DB users to run arbitrary code as
the "postgres" DB superuser, and therefore get unlimited access to the
DB server (CVE-2010-3433). The DB admin explicitly needs to grant the
right to run trusted PLs to the DB user (which is therefore already
trusted up to some degree). However, this can become a major problem
if there is a webserver app in front which allows injecting arbitrary
SQL (which is a security problem by itself, of course, but still all
too common).

I uploaded 8.4.5-1 to unstable with urgency=medium (since this also
fixes the usual metric ton of other bugs). Release team, can you
please allow this into testing?

I also uploaded 9.0.1-1 to unstable, but since 9.0 won't go into
testing there is no further action here.

I also prepared a lenny update at

http://people.debian.org/~mpitt/psql/

It has a full debdiff, but there's a lot of noise in it, so I prepared
a cleaner variant which is easier to read:

$ filterdiff -x '*.gitignore' -x '*.cvsignore' -x '*/doc/*' -x '*.po' -x '*preproc.c' 8.3.11-0lenny1-8.3.12-0lenny1.debdiff|grep -v '^diff' > 8.3.11-0lenny1-8.3.12-0lenny1-cleaned.debdiff

http://people.debian.org/~mpitt/psql/8.3.11-0lenny1-8.3.12-0lenny1-cleaned.debdiff

The changes in doc/ are mostly just the version bump and the new
changelog (which is also present in the plain text "HISTORY" file).
po files were re-merged and thus have a lot of reformatting noise.
preproc.c is a huge yacc generated file, because the source preproc.y
changed slightly, thus I only kept the .y file in the cleaned diff.

This update passes the upstream test suite as well as my
postgresql-common integration tests.

Please let me know how to proceeed with the security update.

Thank you!

Martin

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
  - From: Julien Cristau <jcristau@debian.org>
- Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Support for Natty and Wheezy in xen-tools for Squeeze?
Next by Date: Re: Bug #566650: Please unblock dtc 0.32.2-1
Previous by thread: Bug#599249: marked as done (unblock: ttf-tuffy/20071106-3)
Next by thread: Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]
Index(es):
- Date
- Thread