Heads up on Postgres security release coming April 4, 2013

http://www.postgresql.org/message-id/14040.1364490185@sss.pgh.pa.us

Everyone is recommended to upgrade as soon as possible. Suggestion is to
not let databases remain not-upgraded through Monday if at all possible.

-selena

--
http://chesnok.com

On Thu, Mar 28, 2013 at 01:29:20PM -0700, Selena Deckelmann wrote:
- http://www.postgresql.org/message-id/14040.1364490185@sss.pgh.pa.us
-
- Everyone is recommended to upgrade as soon as possible. Suggestion is to
- not let databases remain not-upgraded through Monday if at all possible.
-
- -selena

Can anyone confirm if this is the correct version for the security fix?

postgresql92-server.x86_64 9.2.4-1PGDG.rhel6 @pgdg-92-centos

The pgdg repo shows it was last updated April 1, which doesn't seem correct.

Thanks.

Dave

> Can anyone confirm if this is the correct version for the security fix?
>
> postgresql92-server.x86_64 9.2.4-1PGDG.rhel6 @pgdg-92-centos

9.2.4 is the correct version, according to the release notice:

http://www.postgresql.org/about/news/1456/

> The pgdg repo shows it was last updated April 1, which doesn't seem correct.

According to the release FAQ (http://www.postgresql.org/support/security/faq/2013-04-04/)

> We have two teams that communicate on private lists hosted on the
> PGDG infrastructure. Both teams had access to the source code prior
> to the release of any packages for analyzing the security patch and
> then creating packages for distributing PostgreSQL binaries. These
> are our Security Team and our Packagers List. In both cases, these
> groups had early access in order to participate in patching the
> security hole.

So it's probably accurate.

-john

On Thu, Apr 4, 2013 at 11:37 AM, <web(at)mr-paradox(dot)net> wrote:

> On Thu, Mar 28, 2013 at 01:29:20PM -0700, Selena Deckelmann wrote:
> - http://www.postgresql.org/message-id/14040.1364490185@sss.pgh.pa.us
> -
> - Everyone is recommended to upgrade as soon as possible. Suggestion is to
> - not let databases remain not-upgraded through Monday if at all possible.
> -
> - -selena
>
> Can anyone confirm if this is the correct version for the security fix?
>
> postgresql92-server.x86_64 9.2.4-1PGDG.rhel6 @pgdg-92-centos
>
> The pgdg repo shows it was last updated April 1, which doesn't seem
> correct.
>

The packages were pushed early, and then mirrored to the public today.

-selena

--
http://chesnok.com

On Thu, Apr 04, 2013 at 06:41:45PM +0000, john melesky wrote:
- > Can anyone confirm if this is the correct version for the security fix?
- >
- > postgresql92-server.x86_64 9.2.4-1PGDG.rhel6 @pgdg-92-centos
-
- 9.2.4 is the correct version, according to the release notice:
-
- http://www.postgresql.org/about/news/1456/

Yeah, but it also says it affects 9.2.4:
"The 토토 사이트 has released a security update to all current versions of the
PostgreSQL database system, including versions 9.2.4"

- > The pgdg repo shows it was last updated April 1, which doesn't seem correct.
-
- According to the release FAQ (http://www.postgresql.org/support/security/faq/2013-04-04/)
-
- > We have two teams that communicate on private lists hosted on the
- > PGDG infrastructure. Both teams had access to the source code prior
- > to the release of any packages for analyzing the security patch and
- > then creating packages for distributing PostgreSQL binaries. These
- > are our Security Team and our Packagers List. In both cases, these
- > groups had early access in order to participate in patching the
- > security hole.
-
- So it's probably accurate.

I did read that too, but I was just expecting a modified date of today.

Thanks though, I think you're right and that is the correct one.

On Thu, Apr 4, 2013 at 11:52 AM, David Kerr <dmk(at)mr-paradox(dot)net> wrote:

> On Thu, Apr 04, 2013 at 06:41:45PM +0000, john melesky wrote:
> - > Can anyone confirm if this is the correct version for the security fix?
> - >
> - > postgresql92-server.x86_64 9.2.4-1PGDG.rhel6 @pgdg-92-centos
> -
> - 9.2.4 is the correct version, according to the release notice:
> -
> - http://www.postgresql.org/about/news/1456/
>
> Yeah, but it also says it affects 9.2.4:
> "The 토토 사이트 has released a security update to
> all current versions of the
> PostgreSQL database system, including versions 9.2.4"
>

The meaning was "the updates include: version, version, version, version"

--
http://chesnok.com

On Thu, Apr 04, 2013 at 11:55:06AM -0700, Selena Deckelmann wrote:
- On Thu, Apr 4, 2013 at 11:52 AM, David Kerr <dmk(at)mr-paradox(dot)net> wrote:
-
- > On Thu, Apr 04, 2013 at 06:41:45PM +0000, john melesky wrote:
- > - > Can anyone confirm if this is the correct version for the security fix?
- > - >
- > - > postgresql92-server.x86_64 9.2.4-1PGDG.rhel6 @pgdg-92-centos
- > -
- > - 9.2.4 is the correct version, according to the release notice:
- > -
- > - http://www.postgresql.org/about/news/1456/
- >
- > Yeah, but it also says it affects 9.2.4:
- > "The 토토 사이트 has released a security update to
- > all current versions of the
- > PostgreSQL database system, including versions 9.2.4"
- >
-
- The meaning was "the updates include: version, version, version, version"

That makes sense, and what I would normally expect. I don't know why I read this
one differently.

Also, unbeknownst to me, my dev machines have auto-update for security on
so I was wondering how I already had it =)

Thanks again!