[Pkg-postgresql-public] PostgreSQL 9.1.12 and 8.4.20

Christoph Berg myon at debian.org
Thu Feb 20 15:22:39 UTC 2014


Re: To team at security.debian.org 2014-02-20 <20140220144659.GC16735 at msgid.df7cb.de>
> The tarballs are now on the ftp server, and also linked from
> www.postgresql.org, so the DSA could be sent out now.

The official announcement contains a more compact description of the
problems:

This update fixes CVE-2014-0060, in which PostgreSQL did not properly
enforce the WITH ADMIN OPTION permission for ROLE management. Before
this fix, any member of a ROLE was able to grant others access to the
same ROLE regardless if the member was given the WITH ADMIN OPTION
permission. It also fixes multiple privilege escalation issues,
including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, and CVE-2014-0066. More information on these issues can
be found on our security page and the security issue detail wiki page.

With this release, we are also alerting users to a known security
hole that allows other users on the same machine to gain access to an
operating system account while it is doing "make check":
CVE-2014-0067.  "Make check" is normally part of building PostgreSQL
from source code. As it is not possible to fix this issue without
causing significant issues to our testing infrastructure, a patch will
be released separately and publicly.  Until then, users are strongly
advised not to run "make check" on machines where untrusted users have
accounts.

Christoph
-- 
cb at df7cb.de | http://www.df7cb.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20140220/3e87818c/attachment.sig>


More information about the Pkg-postgresql-public mailing list