| From: | Christoph Berg <myon(at)debian(dot)org> |
|---|---|
| To: | Daniel Verite <daniel(at)manitou-mail(dot)org> |
| Cc: | PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: postgresql command line exploit found in the wild |
| Date: | 2013-04-09 12:44:12 |
| Message-ID: | 20130409124412.GE26705@msgid.df7cb.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Re: Daniel Verite 2013-04-08 <cd81d201-e9fa-4567-ac49-e3e762935747(at)mm>
> Merlin Moncure wrote:
>
> > if you have an internet facing database, patch it immediately!
>
> By the way:
>
> People running 9.1 on debian stable (squeeze) typically use this package:
> http://packages.debian.org/squeeze-backports/postgresql-9.1
>
> Currently, it looks like the fix is only available in pre-compiled form for
> the amd64 architecture (see the bottom of the page). All other archs
> including the popular i386 are stuck at version: 9.1.7-1~bpo60+1
This is just packages.debian.org lagging behind. The packages were
available on Thursday. (Excluding i386/armel.) Look at the timestamps
on http://backports.debian.org/debian-backports/pool/main/p/postgresql-9.1/ .
> I find it problematic. One can always switch to the new apt.postgresql.org
> repository that has the latest versions, but how many people are going to not
> even notice the problem, trusting their normal upgrade path?
I'm poking the backports people to throw more resources on building
packages there.
Christoph
--
cb(at)df7cb(dot)de | http://www.df7cb.de/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2013-04-09 14:25:16 | Re: Queries seldomly take >4s while normally take <1ms? |
| Previous Message | CR Lender | 2013-04-09 11:47:37 | Re: pg_stat_get_last_vacuum_time(): why non-FULL? |