* Ludwig Nussel wrote on Tue, Mar 27, 2012 at 13:32 +0200:
Steffen Dettmer wrote:
The problem can be reproduced for example with version 8.1-415 (released 2010-05-11), which still can be downloaded from the official download location (although in `Archived Section'), however this version is included in Linux distributions that are still supported (for example SuSE Linux Enterprise Edition with long-term support).
The SLE11 package claims to be version 8.1. However AFIACS it actually packages 8.2-506. Did you already check whether 8.2-512 has the problem fixed?
I think it is not affected, but we stopped further checking after:
* security@postgresql.org:
Reporting a security bug against anything that's not current or supported is pointless.
What A pity, but if no one cares, why should we do...
[...] Possible fix or workaround:
Do not use PostgreSQL JDBC driver version 8.1 but upgrade to most recent version. If the distribution offers no suited package
Actually better complain to the security team of the distro first and ask why there is no update :-)
Yes, I reported it non-publicly first via pg-security, but maintainers told it is old and you must only use the latest JDBC driver (which, IMHO, isn't even documented that clearly). In the end I only had to apologize for bothering, there was no interest to pass the information or clarify the documentation, not talking about to even patch it. I admit I was surprised by such disintrest, so I mailed to some lists, but seems most didn't deliver (because of attachment?).
In this case noone knew that there is an SQL injection and AFAICT upstream didn't flag any updates as security relevant so no CVE assigned either.
It is not true that no one knew. I wrote heaps of mails and invested a lot of time to tell the responsible persons and tried to push some advisory. I don't know how to assign CVE, so I informed the official channel according to the PostgreSQL website especially to avoid someone could say "no one knew" before I published publicly: * Steffen to security@postgresql.org, March 22th:
(I just want to avoid someone rants me about not giving vendors a chance to fix, instead of publishing a "0day", so I'd like to include a "official" statement like "vendor notified xx.xx.xxxx")
seems I failed even on that...
PS: better use security@suse.de to reach the SUSE security team. opensuse-security@opensuse.org is a discussion list.
ok, thank you for the information. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org