On 05/03/2013 10:07 PM, Ray Carnes wrote:
We are considering releasing a security update for OpenERP to prevent
exploiting the vulnerability even >>on unpatched PostgreSQL versions.
Has a decision been made about this yet? Will OpenERP be releasing a
security update? Or is the recommended course of action to update
PostgreSQL ?
The recommended course of action is definitely to patch all PostgreSQL
installations, irregardless of the availability of a patch for OpenERP.
There are usually several ways to exploit this on any system, OpenERP is only
one of them.
A proof of concept patch was written for OpenERP, but it turned out to be
unsuitable for official LTS versions, as it breaks compatibility with some
existing database names (unusual ones, but still technically valid and
working). Note that the connection pooling system might also incur a small
performance hit due to this extra check.
Proof of concept for 7.0:
https://code.launchpad.net/~openerp-dev/openobject-server/7.0-sanitize-db-connections/+merge/164190
_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to : [email protected]
Unsubscribe : https://launchpad.net/~openerp-community
More help : https://help.launchpad.net/ListHelp
