Hi, On Fri, Mar 29, 2013 at 4:13 PM, Dan Scott <[email protected]> wrote: > As Evergreen is built with PostgreSQL at the core, the following > PostgreSQL news announcement should be of concern to Evergreen > administrators: > > """ > Upcoming PostgreSQL Security Release: April 4, 2013
The PostgreSQL security release was made earlier today. http://www.postgresql.org/about/news/1456/ An FAQ about the security release can be found at: http://www.postgresql.org/support/security/faq/2013-04-04/ The security flaw can be exploited by an attacker that has access to the PostgreSQL port, which is typically 5432. Evergreen DBAs should plan on upgrading promptly, but I would particularly like to reiterate a long-standing recommendation for securing PostgreSQL databases: the database service port should never be exposed to untrusted networks. If you can't upgrade right away, please at least make sure that port 5432 is not exposed outside the confines of your Evergreen cluster and any trusting reporting tools. Please also note that using pg_hba.conf to restrict access to specified IP addresses is NOT sufficient. If an attacker can open a connection to port 5432, they can take advantage of the security issue. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: [email protected] direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
