postgres and CVE-2010-0442

[Alexander Pyhalov]

Hello.
Could someone look at http://www.freebsd.org/cgi/query-pr.cgi?pr=144863
? There is quite serious security issue in postgres, which allow any
user to kill others' sessions.
--
Best regards,
Alexander Pyhalov,
system administrator of Computer Center of South Federal University

[Gary Jennejohn]

On Thu, 25 Mar 2010 16:12:21 +0300
Alexander Pyhalov <a...@rsu.ru> wrote:

> Hello.
> Could someone look at http://www.freebsd.org/cgi/query-pr.cgi?pr=144863
> ? There is quite serious security issue in postgres, which allow any
> user to kill others' sessions.
>

It's only been a week since it was assigned to the maintainer (girgen@)
to look at.

It's too soon for a maintainer timeout, although I suppose if this is
considered to be an enormous security risk it could be committed without
waiting.

I'd say that's a decision for portmgr@ to make.

--
Gary Jennejohn

[Mark Linimon]

On Thu, Mar 25, 2010 at 03:44:20PM +0100, Gary Jennejohn wrote:
> It's only been a week since it was assigned to the maintainer (girgen@)
> to look at.
>
> It's too soon for a maintainer timeout, although I suppose if this is
> considered to be an enormous security risk it could be committed without
> waiting.

I'd say go ahead and commit it. We often waive the two-week period for
security problems.

mcl

[Andrea Venturoli]

Sorry to step in.
8.4 has been corrected since a while, but what about 8.2 and 8.3?
Is the new (non vulnerable) version going to arrive in the port tree
anytime soon or should we plan a version upgrade?

bye & Thanks
av.