Re: a vulnerability in PostgreSQL

On Thursday 02 May 2002 11:43 pm, Lincoln Yeoh wrote:
> Any idea which versions of Postgresql have been bundled with O/S CDs?

For RedHat:
5.0 -> PG6.2.1
5.1 -> PG6.3.2
5.2 -> PG6.3.2
6.0 -> PG6.4.2
6.1 -> PG6.5.2 (I think -- this was my first RPMset in Red Hat Linux, but I'm
not 100% sure it was 6.5.2 -- it might have been 6.5.3)
6.2 -> PG6.5.3
7.0 -> PG7.0.2
7.1 -> PG7.0.3
7.2 -> PG7.1.3
7.2.93 > PG7.2.1

Red Hat 7.2 is the current official Red Hat, and _currently_ ships with 7.1.3.
If this bug applies there, it should be backpatched, and I would be willing
to roll another 7.1.3 RPM with the backpatch in it.

Prior to that -- well, I don't have any machines running those versions any
more. I stay pretty much on the frontline of things -- not the bleeding edge
of RawHide, but close. I have had the 7.2.93 beta installed, for instance.
I'm even going to get out of the Red Hat 6.2 on SPARC business at some point,
by going to the Aurora version (current Red Hat version ported to SPARC).
6.2 is just old, and iptables on the 2.4 kernel is just too useful.

I guess I _could_ reinstall an OS to provide a security patch -- but methinks
Red Hat would do that as an errata instead. If a patch can be worked up, it
should be passed through those channels. Unless we want to consider rolling
6.5.4, 7.0.4, and 7.1.4 security bugfix releases.

Of course, this is open source, and there's nothing preventing a third party
from forking off and releasing a 6.5.4 bugfix release. But I wouldn't count
on getting core developers to interested in it -- the bug is fixed in the
current version, and their time is far better spent on fixing bugs and
developing new features in the current version.

And I'm sure that if someone wanted to volunteer to provide a patchset for
each affected version, Bruce might just apply them, and you might talk Marc
into rolling them up. But good luck doing so. Then I'd be happy building
RPMs out of them -- on the my current box. You would then have to rebuild
the RPMs for your box from my src.rpm.

'Upgrade to the next version' is not a good answer, either, particularly since
we don't have a true upgrade path, and the problems that dump/restore
reinstalls have brought to light.

In a similar vein, due to some baroque dependencies, I still have a client
running RedHat 5.2 in production. Not pretty to support. Still at 6.5.3,
too.

We need a better upgrade path, but that's a different discussion.
--
Lamar Owen
WGCR Internet Radio
1 Peter 4:11