| From: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | Daniel Verite <daniel(at)manitou-mail(dot)org> |
| Cc: | PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: postgresql command line exploit found in the wild |
| Date: | 2013-04-08 15:54:32 |
| Message-ID: | CAHyXU0ydehUfsnAio8SRXog_drMa-nASM+cyEEeydGmx1DcU7w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Apr 8, 2013 at 10:48 AM, Daniel Verite <daniel(at)manitou-mail(dot)org> wrote:
> Merlin Moncure wrote:
>
>> if you have an internet facing database, patch it immediately!
>
> By the way:
>
> People running 9.1 on debian stable (squeeze) typically use this package:
> http://packages.debian.org/squeeze-backports/postgresql-9.1
>
> Currently, it looks like the fix is only available in pre-compiled form for
> the amd64 architecture (see the bottom of the page). All other archs
> including the popular i386 are stuck at version: 9.1.7-1~bpo60+1
>
> I find it problematic. One can always switch to the new apt.postgresql.org
> repository that has the latest versions, but how many people are going to not
> even notice the problem, trusting their normal upgrade path?
I guess this should be raised with the debian package maintainers?
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ben Chobot | 2013-04-08 16:05:35 | Re: Hosting PG on AWS in 2013 |
| Previous Message | Daniel Verite | 2013-04-08 15:48:08 | Re: postgresql command line exploit found in the wild |