[OPEN-ILS-GENERAL] Heads-up: PostgreSQL security release coming on April 4, 2013
Galen Charlton
gmc at esilibrary.com
Thu Apr 4 15:06:25 EDT 2013
Hi,
On Fri, Mar 29, 2013 at 4:13 PM, Dan Scott <dan at coffeecode.net> wrote:
> As Evergreen is built with PostgreSQL at the core, the following
> PostgreSQL news announcement should be of concern to Evergreen
> administrators:
>
> """
> Upcoming PostgreSQL Security Release: April 4, 2013
The PostgreSQL security release was made earlier today.
http://www.postgresql.org/about/news/1456/
An FAQ about the security release can be found at:
http://www.postgresql.org/support/security/faq/2013-04-04/
The security flaw can be exploited by an attacker that has access to
the PostgreSQL port, which is typically 5432.
Evergreen DBAs should plan on upgrading promptly, but I would
particularly like to reiterate a long-standing recommendation for
securing PostgreSQL databases: the database service port should never
be exposed to untrusted networks. If you can't upgrade right away,
please at least make sure that port 5432 is not exposed outside the
confines of your Evergreen cluster and any trusting reporting tools.
Please also note that using pg_hba.conf to restrict access to
specified IP addresses is NOT sufficient. If an attacker can open a
connection to port 5432, they can take advantage of the security
issue.
Regards,
Galen
--
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email: gmc at esilibrary.com
direct: +1 770-709-5581
cell: +1 404-984-4366
skype: gmcharlt
web: http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org
More information about the Open-ils-general
mailing list