* New upstream bug fix release: (LP: #1348176)
- Various data integrity and other bug fixes.
- Secure Unix-domain sockets of temporary postmasters started during make
check.
Any local user able to access the socket file could connect as the
server's bootstrap superuser, then proceed to execute arbitrary code as
the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the
server's socket in a temporary, mode 0700 subdirectory of /tmp.
- See release notes for details: http://www.postgresql.org/docs/current/static/release-8-4-22.html
* Drop pg_regress patch to run tests with socket in /tmp, obsolete with
above upstream changes and not applicable any more.
-- Martin Pitt <email address hidden> Tue, 29 Jul 2014 14:47:30 +0200
This bug was fixed in the package postgresql-8.4 - 8.4.22- 0ubuntu0. 12.04
--------------- 0ubuntu0. 12.04) precise-proposed; urgency=medium
postgresql-8.4 (8.4.22-
* New upstream bug fix release: (LP: #1348176)
CVE-2014- 0067. This change defends against that risk by placing the www.postgresql. org/docs/ current/ static/ release- 8-4-22. html
- Various data integrity and other bug fixes.
- Secure Unix-domain sockets of temporary postmasters started during make
check.
Any local user able to access the socket file could connect as the
server's bootstrap superuser, then proceed to execute arbitrary code as
the operating-system user running the test, as we previously noted in
server's socket in a temporary, mode 0700 subdirectory of /tmp.
- See release notes for details:
http://
* Drop pg_regress patch to run tests with socket in /tmp, obsolete with
above upstream changes and not applicable any more.
-- Martin Pitt <email address hidden> Tue, 29 Jul 2014 14:47:30 +0200