Your message dated Sun, 22 Feb 2015 10:42:35 +0100 with message-id <[email protected]> and subject line Re: [Pkg-postgresql-public] Bug#778850: Acknowledgement (Missing 20-column_privilege_leak.patch file in postgresql-8.4 8.4.22-0ubuntu0.10.04.1 source package) has caused the Debian Bug report #778850, regarding Missing 20-column_privilege_leak.patch file in postgresql-8.4 8.4.22-0ubuntu0.10.04.1 source package to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 778850: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778850 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: postgresql Version: 8.4.22-0ubuntu0.10.04.1 Changelog for this package contains: ... * Add 20-column_privilege_leak.patch: Fix information leak via constraint-violation error messages [CVE-2014-8161] ... But there is no such patch file. See: http://launchpadlibrarian.net/197335367/postgresql-8.4_8.4.22-0ubuntu0.10.04_8.4.22-0ubuntu0.10.04.1.diff.gz I think that means that CVE-2014-8161 is not fixed in this version.
--- End Message ---
--- Begin Message ---Hey Charlie, Charlie Brady [2015-02-20 11:39 -0500]: > The fix for the column privilege leaks in error messages > (http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3a2063369 > , CVE-2014-8161) backports really badly to 8.4, the code changed > completely. I'm really afraid of breaking something, and the importance of > that is low to medium only IMHO. So I skip this one for lucid. Argh, indeed I forgot to remove the changelog entry for that patch, after deciding that backporting is too risky. However, this does not affect Debian in any way, thus closing this Debian bug. Thanks for pointing out! Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
--- End Message ---
_______________________________________________ Pkg-postgresql-public mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-postgresql-public
