|
|
Log in / Subscribe / Register

PostgreSQL 7.3.2 Released

[Posted February 11, 2003 by cook]

PostgreSQL 7.3.2 has been released. "This release addresses several overrun and memory leak issues that were found in recent weeks, so it is highly recommended that those running the 7.3.1 branch upgrade at their earliest convience. This release is backwards compa[tible] to the previous v7.3.x releases, and does not require a dump/restore to upgrade."
to post comments

How many more overflows remain?

Posted Feb 13, 2003 10:15 UTC (Thu) by paulsheer (guest, #3925) [Link] (2 responses)

PostGresQL is clearly the top open database for heavy-weight applications. But I do get concerned for its image to constantly hear of security holes. Almost every other week (I think) there is a new security hole announced. Of course security vulnerabilities should be publicized, but what can the developers say about getting their code solid enough that exploits are found far less frequently? And is this even possible for a large and complex application like an SQL server?

How many more overflows remain?

Posted Feb 21, 2003 4:57 UTC (Fri) by slamb (guest, #1070) [Link] (1 responses)

Almost every other week (I think) there is a new security hole announced.

I think you are just seeing advisories for the same holes from different distributors. For some reason, the major distributors seem to have been horribly, horribly slow issuing advisories and packaged bugfix releases. So I can easily see why you'd think there were more problems than there were. Here's a timeline, which I grabbed from searching for "postgresql" in subject lines on bugtraq and the freshmeat release history:

  • 24 Aug 2002 - 7.2.2 released, fixing some buffer overflows
  • 12 Sep 2002 - Debian announcement of 7.2.2 bugs
  • 19 Sep 2002 - Conectiva announcement of 7.2.2 bugs
  • 21 Oct 2002 - SuSE announcement of 7.2.2 bugs
  • 4 Nov 2002 - 7.2.3 fixes a vacuum security problem (and my impression is that it's unlikely to be a real problem, but paranoia says you should upgrade anyway)
  • 14 Jan 2003 - RedHat announcement of 7.2.[23] bugs
  • 5 Feb 2003 - 7.3.2 released, fixing more buffer overflows
  • 12 Feb 2003 - Mandrake announcement of 7.2.2 bugs (and some 7.3.2 ones?)

There have been two or three sets of problems, which isn't great, but it's a lot better than it may appear. And I bet you will see more security announcements in the near (and maybe even far) future...but they probably will be announcements from slow vendors about already-known bugs.

Also, as many people mentioned after the recent Microsoft SQL worm, database servers generally should not be directly open to the Internet. They should be firewalled (and VPNed if access from elsewhere is required). I'm not sure if that'd help in this case or not (anyone? it may depend on your application), but generally that should decrease your exposure to security problems in any SQL server, not just PostgreSQL.

How many more overflows remain?

Posted Feb 21, 2003 5:18 UTC (Fri) by slamb (guest, #1070) [Link]

I said: [database servers] should be firewalled (and VPNed if access from elsewhere is required). I'm not sure if that'd help in this case or not (anyone? it may depend on your application), but generally that should decrease your exposure to security problems in any SQL server, not just PostgreSQL.

I meant to say that I'm not sure if that'd eliminate the problem in this particular case. It'd certainly help - if your application doesn't ever call the affected functions (lpad, etc. may not be that commonly used) and you can't execute arbitrary SQL (in other words, the application isn't buggy also), then you can't exploit it. But I wouldn't be shocked if it were possible to exploit the problem through some well-behaved application that does make use of those functions. Best to both firewall and patch...


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds