| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Mads(dot)Tandrup(at)schneider-electric(dot)com |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf |
| Date: | 2013-04-04 16:44:37 |
| Message-ID: | 20130404164437.GB13856@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Apr 4, 2013 at 06:39:22PM +0200, Mads(dot)Tandrup(at)schneider-electric(dot)com wrote:
> Hi All
>
> I'm trying to understand the implications of the latest security fix to
> postgresql [1].
>
> We have a setup were we in pg_hba.conf have limited the allowed IP addresses of
> the clients. But does anyone know if CVE-2013-1899 allows an arbitrary attacker
> to use the exploits described in [1]?
Yes, if you were running 9.0+. pg_hba.conf does not limit access
sufficiently, though listen_addresses does.
> We are using PostgreSQL 8.4.
8.4 does not contain the bug.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
| Attachment | Content-Type | Size |
|---|---|---|
| unknown_filename | text/plain | 914 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Wall | 2013-04-04 17:08:44 | Re: Permissions on large objects - db backup and restore |
| Previous Message | Devrim Gündüz | 2013-04-04 16:43:34 | Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf |