Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1

2018-03-07 Thread Christoph Berg
Re: Brian May 2018-03-07 <87a7vk9yhn@prune.linuxpenguins.xyz>
> > jessie's postgresql-9.1 package is shipping a single binary package
> > only, postgresql-plperl-9.1. (Check the jessie release notes for the
> > rationale.) plperl is not affected by the changes as far as I can tell
> > by inspecting src/pl/plperl's git log.
> 
> Ok, I understand now. So this doesn't apply to wheezy, only Jessie.

We've done that keep-plperl-around-for-upgrades dance a few times in
the past, but dropped it for stretch, as the extra effort didn't seem
worth it, given upgrading works even if oldpg-plperl.deb is
uninstalled.

> > I don't plan to work on a 9.1 LTS release; the changed were deemed
> > below the radar by the Debian Security team, and wheezy's EOL is just
> > around the corner.
> 
> Yes, as the other versions were marked no-dsa, might be best just to
> mark it as no-dsa for wheezy too.
> 
> Any objections if do this?

Please go ahead.

Thanks,
Christoph



Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1

2018-03-06 Thread Brian May
Christoph Berg  writes:

> jessie's postgresql-9.1 package is shipping a single binary package
> only, postgresql-plperl-9.1. (Check the jessie release notes for the
> rationale.) plperl is not affected by the changes as far as I can tell
> by inspecting src/pl/plperl's git log.

Ok, I understand now. So this doesn't apply to wheezy, only Jessie.

> Backpatching the changes will be hard; a colleague tried to apply the
> pg_dump changes and gave up because hundreds of chunks failed. (The
> rest might be easier though.)
>
> I don't plan to work on a 9.1 LTS release; the changed were deemed
> below the radar by the Debian Security team, and wheezy's EOL is just
> around the corner.

Yes, as the other versions were marked no-dsa, might be best just to
mark it as no-dsa for wheezy too.

Any objections if do this?

Regards
-- 
Brian May 



Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1

2018-03-06 Thread Christoph Berg
Re: Brian May 2018-03-04 <87tvtva5r4@prune.linuxpenguins.xyz>
> Christoph Berg  writes:
> 
> > +   [jessie] - postgresql-9.1  (postgresql-9.1 in jessie is 
> > PL/Perl only)
> 
> Hello,
> 
> What did you mean by "jessie is PL/Perl only"?

Hi Brian,

jessie's postgresql-9.1 package is shipping a single binary package
only, postgresql-plperl-9.1. (Check the jessie release notes for the
rationale.) plperl is not affected by the changes as far as I can tell
by inspecting src/pl/plperl's git log.

> I am not sure I see the connection between CVE-2018-1058 (was
> incorrectly labeled as CVE-2018-1057) which is for issues concerning the
> search_path (as far as I can tell) and PL/Perl.
> 
> Just trying to confirm if Wheezy is vulnerable or not. As Wheezy is
> using postgresql-9.1, and postgresql-9.1 is not vulnerable in Jessie, I
> am guessing wheezy is not vulnerable too.

9.1 is not vulnerable in Jessie because it's stripped down. All PG
versions are equally affected, the issue has been there since
schemas were introduced in 7.3.

Backpatching the changes will be hard; a colleague tried to apply the
pg_dump changes and gave up because hundreds of chunks failed. (The
rest might be easier though.)

I don't plan to work on a 9.1 LTS release; the changed were deemed
below the radar by the Debian Security team, and wheezy's EOL is just
around the corner.

Christoph



Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1

2018-03-04 Thread Brian May
Christoph Berg  writes:

> + [jessie] - postgresql-9.1  (postgresql-9.1 in jessie is 
> PL/Perl only)

Hello,

What did you mean by "jessie is PL/Perl only"?

I am not sure I see the connection between CVE-2018-1058 (was
incorrectly labeled as CVE-2018-1057) which is for issues concerning the
search_path (as far as I can tell) and PL/Perl.

Just trying to confirm if Wheezy is vulnerable or not. As Wheezy is
using postgresql-9.1, and postgresql-9.1 is not vulnerable in Jessie, I
am guessing wheezy is not vulnerable too.

Thanks.
-- 
Brian May