Todays PostgreSQL security announcement


#1

Today PostgreSQL announced CVE-2013-1899 [1], a vulnerability that allows a remote attacker with access to the PostgreSQL port to cause malicious damage to a database. The Chef 11 server Omnibus package includes PostgreSQL v9.2.1, which is vulnerable, however it is bound to localhost by default so it is only accessible from the server itself thereby mitigating the vulnerability to users with access to the system.

We will include a patched version of PostgreSQL in the upcoming 11.0.8-server release. CHEF-4060 [2] has been assigned to this update. We should have a release candidate early next week and the actual release not to far behind.


Bryan McLellan | opscode | technical program manager, open source
© 206.607.7108 | (t) @btmspox | (b) http://blog.loftninjas.org

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
[2] http://tickets.opscode.com/browse/CHEF-4060