postgres and CVE-2010-0442

Discussion:

(too old to reply)

Alexander Pyhalov

2010-03-25 13:12:21 UTC

Hello.
Could someone look at http://www.freebsd.org/cgi/query-pr.cgi?pr=144863
? There is quite serious security issue in postgres, which allow any
user to kill others' sessions.

--
Best regards,
Alexander Pyhalov,
system administrator of Computer Center of South Federal University

Gary Jennejohn

2010-03-25 14:44:20 UTC

Permalink

On Thu, 25 Mar 2010 16:12:21 +0300

Post by Alexander Pyhalov
Hello.
Could someone look at http://www.freebsd.org/cgi/query-pr.cgi?pr=144863
? There is quite serious security issue in postgres, which allow any
user to kill others' sessions.

It's only been a week since it was assigned to the maintainer (girgen@)
to look at.

It's too soon for a maintainer timeout, although I suppose if this is
considered to be an enormous security risk it could be committed without
waiting.

I'd say that's a decision for portmgr@ to make.

--
Gary Jennejohn

Mark Linimon

2010-03-25 16:28:31 UTC

Permalink

Post by Gary Jennejohn
to look at.
It's too soon for a maintainer timeout, although I suppose if this is
considered to be an enormous security risk it could be committed without
waiting.

I'd say go ahead and commit it. We often waive the two-week period for
security problems.

mcl

Andrea Venturoli

2010-04-11 13:32:53 UTC

Permalink

Post by Mark Linimon

Post by Gary Jennejohn
to look at.
It's too soon for a maintainer timeout, although I suppose if this is
considered to be an enormous security risk it could be committed without
waiting.

I'd say go ahead and commit it. We often waive the two-week period for
security problems.

Sorry to step in.
8.4 has been corrected since a while, but what about 8.2 and 8.3?
Is the new (non vulnerable) version going to arrive in the port tree
anytime soon or should we plan a version upgrade?

bye & Thanks
av.