Hello security and release teams, Yesterday, PostgreSQL released new security/bug fix microreleases. Please see http://www.postgresql.org/about/news.1244 for the details of the announcement. This fixes a privilege escalation through "SECURITY DEFINER" stored procedures, which is the SQL equivalent of suid root programs. I. e. this allows normal DB users to run arbitrary code as the "postgres" DB superuser, and therefore get unlimited access to the DB server (CVE-2010-3433). The DB admin explicitly needs to grant the right to run trusted PLs to the DB user (which is therefore already trusted up to some degree). However, this can become a major problem if there is a webserver app in front which allows injecting arbitrary SQL (which is a security problem by itself, of course, but still all too common). I uploaded 8.4.5-1 to unstable with urgency=medium (since this also fixes the usual metric ton of other bugs). Release team, can you please allow this into testing? I also uploaded 9.0.1-1 to unstable, but since 9.0 won't go into testing there is no further action here. I also prepared a lenny update at http://people.debian.org/~mpitt/psql/ It has a full debdiff, but there's a lot of noise in it, so I prepared a cleaner variant which is easier to read: $ filterdiff -x '*.gitignore' -x '*.cvsignore' -x '*/doc/*' -x '*.po' -x '*preproc.c' 8.3.11-0lenny1-8.3.12-0lenny1.debdiff|grep -v '^diff' > 8.3.11-0lenny1-8.3.12-0lenny1-cleaned.debdiff http://people.debian.org/~mpitt/psql/8.3.11-0lenny1-8.3.12-0lenny1-cleaned.debdiff The changes in doc/ are mostly just the version bump and the new changelog (which is also present in the plain text "HISTORY" file). po files were re-merged and thus have a lot of reformatting noise. preproc.c is a huge yacc generated file, because the source preproc.y changed slightly, thus I only kept the .y file in the cleaned diff. This update passes the upstream test suite as well as my postgresql-common integration tests. Please let me know how to proceeed with the security update. Thank you! Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Attachment:
signature.asc
Description: Digital signature