Thread: location of md5 files ...
WWW team, Does Otto have a point? --Josh -------- Original Message -------- Subject: RE: PostgreSQL 2009-12-14 Security Update Date: Mon, 14 Dec 2009 12:13:55 -0800 From: Otto Hirr <otto.hirr@olabinc.com> Reply-To: <otto.hirr@olabinc.com> To: 'Josh Berkus' <josh@postgresql.org> Josh, Something I've thought about for a long time.... Why does one have to go to a "mirror" to get a md5 checksum file. From a "security" perspective, these checksums should simply be listed on the "main" / "authoritative" website, and maybe also available for download from a mirror. What is to say that a "bad" mirror, changes both the file and the md5 file.... then you have badness... that can not be easily discovered. Regards, ..Otto > -----Original Message----- > From: pgsql-announce-owner@postgresql.org > [mailto:pgsql-announce-owner@postgresql.org]On Behalf Of Josh Berkus > Sent: Monday, December 14, 2009 8:27 AM > To: pgsql-announce@postgresql.org > Subject: PostgreSQL 2009-12-14 Security Update > > > The PostgreSQL Project today released minor versions updating > all active > branches of the PostgreSQL object-relational database system, > including > versions 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, and 7.4.27. > This release > fixes one moderate-risk and one low-risk security issue: an SSL > authentication issue, and a privilege escalation issue with expression > indexes. All PostgreSQL database administrators are urged to update > your version of PostgreSQL at the earliest opportunity. > > There are also 48 other bug fixes in this release, many of which apply > only to version 8.4, and a few of which are specifically for Windows. > While these are generally fixes for minor issues, among the > changes are: > > * Prevent hash index corruption > * Update time zone data for 9 regions > * Fix permissions-related startup issue on Windows > * Prevent server restart if a VACUUM FULL is killed > * Correct cache initialization startup bug > > See the release notes for a full list of changes with details. > > As with other minor releases, users are not required to dump > and reload > their database in order to apply this update release; you may simply > shut down PostgreSQL and update its binaries. However, users who have > hash indexes will want to run REINDEX after updating in order > to repair > any existing index damage. Users skipping more than one > update may need > to check the release notes for extra, post-update steps. > > * Release Notes: > http://www.postgresql.org/docs/current/static/release.html > * Installation Packages: http://www.postgresql.org/download/ > * Source Code: http://www.postgresql.org/ftp/source/ > * Details of Security Issues: http://www.postgresql.org/support/security The PosgreSQL Global Development Group will stop releasing updates for PostgreSQL versions 7.4 and 8.0 after July of 2010. We urge users of those versions to start planning to upgrade now. ---------------------------(end of broadcast)--------------------------- -To unsubscribe from this list, send an email to: pgsql-announce-unsubscribe@postgresql.org
On Mon, Dec 14, 2009 at 7:23 PM, Josh Berkus <josh@postgresql.org> wrote: > WWW team, > > Does Otto have a point? Yes. From a security perspective, the md5's are useless when distributed alongside the binaries. That's why I GPG sign my releases of pgAdmin and the MSI installer - noone else can recreate those signatures. There is potentially some benefit to having them there to allow the user to verify they have a good download though, for example, in the event of an error untarring. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com
Yes. Ideally, we should serve up the MD5s from an SSL enabled webserver. Something to think about for the future. //Magnus On Mon, Dec 14, 2009 at 20:23, Josh Berkus <josh@postgresql.org> wrote: > WWW team, > > Does Otto have a point? > > --Josh > > -------- Original Message -------- > Subject: RE: PostgreSQL 2009-12-14 Security Update > Date: Mon, 14 Dec 2009 12:13:55 -0800 > From: Otto Hirr <otto.hirr@olabinc.com> > Reply-To: <otto.hirr@olabinc.com> > To: 'Josh Berkus' <josh@postgresql.org> > > Josh, > > Something I've thought about for a long time.... > > Why does one have to go to a "mirror" to get a md5 checksum file. > From a "security" perspective, these checksums should simply be > listed on the "main" / "authoritative" website, and maybe also > available for download from a mirror. > > What is to say that a "bad" mirror, changes both the file and > the md5 file.... then you have badness... that can not be easily > discovered. > > Regards, > > ..Otto > > > >> -----Original Message----- >> From: pgsql-announce-owner@postgresql.org >> [mailto:pgsql-announce-owner@postgresql.org]On Behalf Of Josh Berkus >> Sent: Monday, December 14, 2009 8:27 AM >> To: pgsql-announce@postgresql.org >> Subject: PostgreSQL 2009-12-14 Security Update >> >> >> The PostgreSQL Project today released minor versions updating >> all active >> branches of the PostgreSQL object-relational database system, >> including >> versions 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, and 7.4.27. >> This release >> fixes one moderate-risk and one low-risk security issue: an SSL >> authentication issue, and a privilege escalation issue with expression >> indexes. All PostgreSQL database administrators are urged to update >> your version of PostgreSQL at the earliest opportunity. >> >> There are also 48 other bug fixes in this release, many of which apply >> only to version 8.4, and a few of which are specifically for Windows. >> While these are generally fixes for minor issues, among the >> changes are: >> >> * Prevent hash index corruption >> * Update time zone data for 9 regions >> * Fix permissions-related startup issue on Windows >> * Prevent server restart if a VACUUM FULL is killed >> * Correct cache initialization startup bug >> >> See the release notes for a full list of changes with details. >> >> As with other minor releases, users are not required to dump >> and reload >> their database in order to apply this update release; you may simply >> shut down PostgreSQL and update its binaries. However, users who have >> hash indexes will want to run REINDEX after updating in order >> to repair >> any existing index damage. Users skipping more than one >> update may need >> to check the release notes for extra, post-update steps. >> >> * Release Notes: >> http://www.postgresql.org/docs/current/static/release.html >> * Installation Packages: http://www.postgresql.org/download/ >> * Source Code: http://www.postgresql.org/ftp/source/ >> * Details of Security Issues: > http://www.postgresql.org/support/security > > The PosgreSQL Global Development Group will stop releasing updates for > PostgreSQL versions 7.4 and 8.0 after July of 2010. We urge users of > those versions to start planning to upgrade now. > > ---------------------------(end of broadcast)--------------------------- > -To unsubscribe from this list, send an email to: > > pgsql-announce-unsubscribe@postgresql.org > > > > -- > Sent via pgsql-www mailing list (pgsql-www@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-www > -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
Magnus Hagander wrote: > Yes. > > Ideally, we should serve up the MD5s from an SSL enabled webserver. > Something to think about for the future. Shouldn't we distribute the MD5 signatures along the release message, which should itself be signed with some appropriate GPG key? -- Alvaro Herrera http://www.CommandPrompt.com/ PostgreSQL Replication, Consulting, Custom Development, 24x7 support
On Mon, Dec 14, 2009 at 8:00 PM, Alvaro Herrera <alvherre@commandprompt.com> wrote: >> Ideally, we should serve up the MD5s from an SSL enabled webserver. >> Something to think about for the future. > > Shouldn't we distribute the MD5 signatures along the release message, > which should itself be signed with some appropriate GPG key? That sounds right to me. Even if it's not signed I can go check the various mail archives to verify that other people saw the same signatures and nobody else complained about a spoofed file. -- greg
On mån, 2009-12-14 at 17:00 -0300, Alvaro Herrera wrote: > Magnus Hagander wrote: > > Yes. > > > > Ideally, we should serve up the MD5s from an SSL enabled webserver. > > Something to think about for the future. > > Shouldn't we distribute the MD5 signatures along the release message, > which should itself be signed with some appropriate GPG key? Someone was doing this a while ago on their own. But the usual argument for the md5 files in the past was to catch download mistakes, not security.
On Wednesday 16 December 2009 11:14:22 Peter Eisentraut wrote: > On mån, 2009-12-14 at 17:00 -0300, Alvaro Herrera wrote: > > Magnus Hagander wrote: > > > Yes. > > > > > > Ideally, we should serve up the MD5s from an SSL enabled webserver. > > > Something to think about for the future. > > > > Shouldn't we distribute the MD5 signatures along the release message, > > which should itself be signed with some appropriate GPG key? > > Someone was doing this a while ago on their own. > Greg Mullane was the one who used to do it. > But the usual argument for the md5 files in the past was to catch > download mistakes, not security. Yes, though it would be nice to see us worry about both. -- Robert Treat Conjecture: http://www.xzilla.net Consulting: http://www.omniti.com