Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
Re: Brian May 2018-03-07 <87a7vk9yhn@prune.linuxpenguins.xyz> > > jessie's postgresql-9.1 package is shipping a single binary package > > only, postgresql-plperl-9.1. (Check the jessie release notes for the > > rationale.) plperl is not affected by the changes as far as I can tell > > by inspecting src/pl/plperl's git log. > > Ok, I understand now. So this doesn't apply to wheezy, only Jessie. We've done that keep-plperl-around-for-upgrades dance a few times in the past, but dropped it for stretch, as the extra effort didn't seem worth it, given upgrading works even if oldpg-plperl.deb is uninstalled. > > I don't plan to work on a 9.1 LTS release; the changed were deemed > > below the radar by the Debian Security team, and wheezy's EOL is just > > around the corner. > > Yes, as the other versions were marked no-dsa, might be best just to > mark it as no-dsa for wheezy too. > > Any objections if do this? Please go ahead. Thanks, Christoph
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
Christoph Bergwrites: > jessie's postgresql-9.1 package is shipping a single binary package > only, postgresql-plperl-9.1. (Check the jessie release notes for the > rationale.) plperl is not affected by the changes as far as I can tell > by inspecting src/pl/plperl's git log. Ok, I understand now. So this doesn't apply to wheezy, only Jessie. > Backpatching the changes will be hard; a colleague tried to apply the > pg_dump changes and gave up because hundreds of chunks failed. (The > rest might be easier though.) > > I don't plan to work on a 9.1 LTS release; the changed were deemed > below the radar by the Debian Security team, and wheezy's EOL is just > around the corner. Yes, as the other versions were marked no-dsa, might be best just to mark it as no-dsa for wheezy too. Any objections if do this? Regards -- Brian May
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
Re: Brian May 2018-03-04 <87tvtva5r4@prune.linuxpenguins.xyz> > Christoph Bergwrites: > > > + [jessie] - postgresql-9.1 (postgresql-9.1 in jessie is > > PL/Perl only) > > Hello, > > What did you mean by "jessie is PL/Perl only"? Hi Brian, jessie's postgresql-9.1 package is shipping a single binary package only, postgresql-plperl-9.1. (Check the jessie release notes for the rationale.) plperl is not affected by the changes as far as I can tell by inspecting src/pl/plperl's git log. > I am not sure I see the connection between CVE-2018-1058 (was > incorrectly labeled as CVE-2018-1057) which is for issues concerning the > search_path (as far as I can tell) and PL/Perl. > > Just trying to confirm if Wheezy is vulnerable or not. As Wheezy is > using postgresql-9.1, and postgresql-9.1 is not vulnerable in Jessie, I > am guessing wheezy is not vulnerable too. 9.1 is not vulnerable in Jessie because it's stripped down. All PG versions are equally affected, the issue has been there since schemas were introduced in 7.3. Backpatching the changes will be hard; a colleague tried to apply the pg_dump changes and gave up because hundreds of chunks failed. (The rest might be easier though.) I don't plan to work on a 9.1 LTS release; the changed were deemed below the radar by the Debian Security team, and wheezy's EOL is just around the corner. Christoph
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
Christoph Bergwrites: > + [jessie] - postgresql-9.1 (postgresql-9.1 in jessie is > PL/Perl only) Hello, What did you mean by "jessie is PL/Perl only"? I am not sure I see the connection between CVE-2018-1058 (was incorrectly labeled as CVE-2018-1057) which is for issues concerning the search_path (as far as I can tell) and PL/Perl. Just trying to confirm if Wheezy is vulnerable or not. As Wheezy is using postgresql-9.1, and postgresql-9.1 is not vulnerable in Jessie, I am guessing wheezy is not vulnerable too. Thanks. -- Brian May