Thread: Postgres Security Patches Question
Hi Team,
We have a question related to security patches.
Following is our server specification:-
OS-RedHat 7
Postgres – 9.3 (planning to upgrade to 11.2) and 11.2
We have installed postgres using source code and moved postgres data, config and share default install directories to custom directories/mount points. If there is any security patch that need to apply on postgres database in future, 1. Would security patch available in form of source code/zip file OR do we have to apply it using rpm? 2. If rpm, would it be possible to install security patch on postgres custom directories through RPM? 3. Any caveat that we need to aware about?
Any help here would be really appreciated.
Regards,
Prashant
On 4/24/19 7:30 AM, Patil, Prashant wrote: > Hi Team, > > We have a question related to security patches. > > Following is our server specification:- > > OS-RedHat 7 > > Postgres – 9.3 (planning to upgrade to 11.2) and 11.2 > > We have installed postgres using source code and moved postgres data, > config and share default install directories to custom directories/mount > points. If there is any security patch that need to apply on postgres > database in future, 1. Would security patch available in form of source > code/zip file OR do we have to apply it using rpm? 2. If rpm, would it > be possible to install security patch on postgres custom directories > through RPM? 3. Any caveat that we need to aware about? > > Any help here would be really appreciated. AFAIK the patches are not released separately. In your case you would need to download the new patched complete source and rebuild it. > > Regards, > > Prashant > > This email may contain confidential or privileged material. Use or > disclosure of it by anyone other than the recipient is unauthorized. If > you are not an intended recipient, please delete this email. -- Adrian Klaver adrian.klaver@aklaver.com
Thanks Adrian for quick reply. So what would be best options here to apply security patches? Using RPM? Regards, Prashant -----Original Message----- From: Adrian Klaver <adrian.klaver@aklaver.com> Sent: Wednesday, April 24, 2019 10:38 AM To: Patil, Prashant <Prashant.Patil@crowncastle.com>; security@postgresql.org; pgsql-general@lists.postgresql.org; pgsql-general-owner@lists.postgresql.org Subject: Re: Postgres Security Patches Question CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognizethe sender and know the content is safe. On 4/24/19 7:30 AM, Patil, Prashant wrote: > Hi Team, > > We have a question related to security patches. > > Following is our server specification:- > > OS-RedHat 7 > > Postgres - 9.3 (planning to upgrade to 11.2) and 11.2 > > We have installed postgres using source code and moved postgres data, > config and share default install directories to custom > directories/mount points. If there is any security patch that need to > apply on postgres database in future, 1. Would security patch > available in form of source code/zip file OR do we have to apply it > using rpm? 2. If rpm, would it be possible to install security patch > on postgres custom directories through RPM? 3. Any caveat that we need to aware about? > > Any help here would be really appreciated. AFAIK the patches are not released separately. In your case you would need to download the new patched complete source andrebuild it. > > Regards, > > Prashant > > This email may contain confidential or privileged material. Use or > disclosure of it by anyone other than the recipient is unauthorized. > If you are not an intended recipient, please delete this email. -- Adrian Klaver adrian.klaver@aklaver.com This email may contain confidential or privileged material. Use or disclosure of it by anyone other than the recipient isunauthorized. If you are not an intended recipient, please delete this email.
[ removing security list, since this is not a security bug report ]
Adrian Klaver <adrian.klaver@aklaver.com> writes:
> On 4/24/19 7:30 AM, Patil, Prashant wrote:
>> ... If there is any security patch that need to apply on postgres
>> database in future, 1. Would security patch available in form of source
>> code/zip file OR do we have to apply it using rpm? 2. If rpm, would it
>> be possible to install security patch on postgres custom directories
>> through RPM? 3. Any caveat that we need to aware about?
> AFAIK the patches are not released separately. In your case you would
> need to download the new patched complete source and rebuild it.
We do not release security patches separately, and are not interested
in doing so. Two points you might wish to consider:
* Security patches are not tested standalone, only on top of the complete
patch-series-to-date. There's no certainty they'd even apply to an
earlier snapshot, let alone work as intended.
* For most database installations, data-loss-risk bugs are at least
as important as "security" bugs, maybe more so. The vast majority
of the things we label security bugs are privilege escalation problems
accessible to someone who is already able to log into the database and
execute arbitrary SQL. But few installations have untrusted users
connecting directly to the database, so these sorts of bug fixes are
really just limiting the possible effects of any security loopholes
(e.g. SQL-injection bugs) you may have in your applications. Which is a
good thing surely, but it pales compared to "this bug might corrupt all
your data".
The PG community's recommendation is that you install new minor releases
in toto. Anybody who thinks it's better to just cherry-pick "security"
patches doesn't understand the realities of database work.
regards, tom lane
Thanks Tom. So since security patches is not release separately, they are part of minor releases. Is this correct
statement?
If they are part minor releases, we need to download source code for that release and perform upgrade and while
performingupgrade, we can point install directories to our custom data/config directories RIGHT?
Regards,
Prashant
-----Original Message-----
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Wednesday, April 24, 2019 10:58 AM
To: Adrian Klaver <adrian.klaver@aklaver.com>
Cc: Patil, Prashant <Prashant.Patil@crowncastle.com>; pgsql-general@lists.postgresql.org
Subject: Re: Postgres Security Patches Question
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you
recognizethe sender and know the content is safe.
[ removing security list, since this is not a security bug report ]
Adrian Klaver <adrian.klaver@aklaver.com> writes:
> On 4/24/19 7:30 AM, Patil, Prashant wrote:
>> ... If there is any security patch that need to apply on postgres
>> database in future, 1. Would security patch available in form of
>> source code/zip file OR do we have to apply it using rpm? 2. If rpm,
>> would it be possible to install security patch on postgres custom
>> directories through RPM? 3. Any caveat that we need to aware about?
> AFAIK the patches are not released separately. In your case you would
> need to download the new patched complete source and rebuild it.
We do not release security patches separately, and are not interested in doing so. Two points you might wish to
consider:
* Security patches are not tested standalone, only on top of the complete patch-series-to-date. There's no certainty
they'deven apply to an earlier snapshot, let alone work as intended.
* For most database installations, data-loss-risk bugs are at least as important as "security" bugs, maybe more so.
Thevast majority of the things we label security bugs are privilege escalation problems accessible to someone who is
alreadyable to log into the database and execute arbitrary SQL. But few installations have untrusted users connecting
directlyto the database, so these sorts of bug fixes are really just limiting the possible effects of any security
loopholes(e.g. SQL-injection bugs) you may have in your applications. Which is a good thing surely, but it pales
comparedto "this bug might corrupt all your data".
The PG community's recommendation is that you install new minor releases in toto. Anybody who thinks it's better to
justcherry-pick "security"
patches doesn't understand the realities of database work.
regards, tom lane
This email may contain confidential or privileged material. Use or disclosure of it by anyone other than the recipient
isunauthorized. If you are not an intended recipient, please delete this email.
On 2019-Apr-24, Patil, Prashant wrote: > Thanks Tom. So since security patches is not release separately, they > are part of minor releases. Is this correct statement? It is correct. > If they are part minor releases, we need to download source code for > that release and perform upgrade and while performing upgrade, we can > point install directories to our custom data/config directories RIGHT? The install directories don't have to care where your data/config directories and files are. Only your start scripts have to. You can just stop the database, install the new binaries on top of the previous ones, start the database. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On 4/24/19 8:09 AM, Patil, Prashant wrote: > Thanks Tom. So since security patches is not release separately, they are part of minor releases. Is this correct statement? Yes. See below for the reasoning and schedule: https://www.postgresql.org/support/versioning/ https://www.postgresql.org/developer/roadmap/ > > If they are part minor releases, we need to download source code for that release and perform upgrade and while performingupgrade, we can point install directories to our custom data/config directories RIGHT? > > Regards, > Prashant > > -----Original Message----- > From: Tom Lane <tgl@sss.pgh.pa.us> > Sent: Wednesday, April 24, 2019 10:58 AM > To: Adrian Klaver <adrian.klaver@aklaver.com> > Cc: Patil, Prashant <Prashant.Patil@crowncastle.com>; pgsql-general@lists.postgresql.org > Subject: Re: Postgres Security Patches Question > > > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognizethe sender and know the content is safe. > > > [ removing security list, since this is not a security bug report ] > > Adrian Klaver <adrian.klaver@aklaver.com> writes: >> On 4/24/19 7:30 AM, Patil, Prashant wrote: >>> ... If there is any security patch that need to apply on postgres >>> database in future, 1. Would security patch available in form of >>> source code/zip file OR do we have to apply it using rpm? 2. If rpm, >>> would it be possible to install security patch on postgres custom >>> directories through RPM? 3. Any caveat that we need to aware about? > >> AFAIK the patches are not released separately. In your case you would >> need to download the new patched complete source and rebuild it. > > We do not release security patches separately, and are not interested in doing so. Two points you might wish to consider: > > * Security patches are not tested standalone, only on top of the complete patch-series-to-date. There's no certainty they'deven apply to an earlier snapshot, let alone work as intended. > > * For most database installations, data-loss-risk bugs are at least as important as "security" bugs, maybe more so. Thevast majority of the things we label security bugs are privilege escalation problems accessible to someone who is alreadyable to log into the database and execute arbitrary SQL. But few installations have untrusted users connecting directlyto the database, so these sorts of bug fixes are really just limiting the possible effects of any security loopholes(e.g. SQL-injection bugs) you may have in your applications. Which is a good thing surely, but it pales comparedto "this bug might corrupt all your data". > > The PG community's recommendation is that you install new minor releases in toto. Anybody who thinks it's better to justcherry-pick "security" > patches doesn't understand the realities of database work. > > regards, tom lane > This email may contain confidential or privileged material. Use or disclosure of it by anyone other than the recipientis unauthorized. If you are not an intended recipient, please delete this email. > -- Adrian Klaver adrian.klaver@aklaver.com