[Pkg-postgresql-public] PostgreSQL 9.1.12 and 8.4.20
Christoph Berg
myon at debian.org
Thu Feb 20 15:22:39 UTC 2014
Re: To team at security.debian.org 2014-02-20 <20140220144659.GC16735 at msgid.df7cb.de>
> The tarballs are now on the ftp server, and also linked from
> www.postgresql.org, so the DSA could be sent out now.
The official announcement contains a more compact description of the
problems:
This update fixes CVE-2014-0060, in which PostgreSQL did not properly
enforce the WITH ADMIN OPTION permission for ROLE management. Before
this fix, any member of a ROLE was able to grant others access to the
same ROLE regardless if the member was given the WITH ADMIN OPTION
permission. It also fixes multiple privilege escalation issues,
including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, and CVE-2014-0066. More information on these issues can
be found on our security page and the security issue detail wiki page.
With this release, we are also alerting users to a known security
hole that allows other users on the same machine to gain access to an
operating system account while it is doing "make check":
CVE-2014-0067. "Make check" is normally part of building PostgreSQL
from source code. As it is not possible to fix this issue without
causing significant issues to our testing infrastructure, a patch will
be released separately and publicly. Until then, users are strongly
advised not to run "make check" on machines where untrusted users have
accounts.
Christoph
--
cb at df7cb.de | http://www.df7cb.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20140220/3e87818c/attachment.sig>
More information about the Pkg-postgresql-public
mailing list