Participants
Noname
Noname
Devrim GÜNDÜZ
Devrim GÜNDÜZ
Bruce Momjian
Bruce Momjian
Attachments
Show all attachments
Thread Outline
#1NonameNoname
Apr 04, 2013
#2Devrim GÜNDÜZDevrim GÜNDÜZto Noname (#1)
Apr 04, 2013
#3...#4
Bruce MomjianNoname
to Noname (#1)
Apr 04, 2013
#3Bruce MomjianBruce Momjianto Noname (#1)
Apr 04, 2013
#4NonameNonameto Bruce Momjian (#3)
Apr 04, 2013

CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf

Started by Nonameabout 13 years ago4 messagesgeneral
Jump to latest
#1Noname
Noname
Mads.Tandrup@schneider-electric.com

<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" size="2"><div>Hi All</div><div><br></div><div>I'm trying to understand the implications of the latest security fix to postgresql [1].</div><div><br></div><div>We have a setup were we in pg_hba.conf have limited the allowed IP addresses of the clients. But does anyone know if&nbsp;CVE-2013-1899 allows an arbitrary attacker to use the exploits described in [1]?</div><div><br></div><div>We are using PostgreSQL 8.4.</div><div><br></div><div>Best regards,</div><div>Mads</div><div><br></div><div>[1]&nbsp;http://www.postgresql.org/support/security/faq/2013-04-04/&lt;br&gt;&lt;br&gt;&lt;/div&gt;&lt;div&gt;&lt;/div&gt;&lt;/font&gt;

Import Notes
Reply to msg id not found:
#2Devrim GÜNDÜZ
Devrim GÜNDÜZ
devrim@gunduz.org
In reply to: Noname (#1)
Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf

Hi,

pg_hba.conf does not have protection for this security issue.

Regards, Devrim

Mads.Tandrup@schneider-electric.com wrote:

Hi All

I'm trying to understand the implications of the latest security fix to
postgresql [1].

We have a setup were we in pg_hba.conf have limited the allowed IP
addresses of the clients. But does anyone know if CVE-2013-1899 allows
an arbitrary attacker to use the exploits described in [1]?

We are using PostgreSQL 8.4.

Best regards,

Mads

[1] http://www.postgresql.org/support/security/faq/2013-04-04/

--
Devrim Gündüz

#3Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Noname (#1)
Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf

On Thu, Apr 4, 2013 at 06:39:22PM +0200, Mads.Tandrup@schneider-electric.com wrote:

Hi All

I'm trying to understand the implications of the latest security fix to
postgresql [1].

We have a setup were we in pg_hba.conf have limited the allowed IP addresses of
the clients. But does anyone know if CVE-2013-1899 allows an arbitrary attacker
to use the exploits described in [1]?

Yes, if you were running 9.0+. pg_hba.conf does not limit access
sufficiently, though listen_addresses does.

We are using PostgreSQL 8.4.

8.4 does not contain the bug.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#4Noname
Noname
Mads.Tandrup@schneider-electric.com
In reply to: Bruce Momjian (#3)
Re: CVE-2013-1899 security issue and limited IP addresses in pg_hba.conf

<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" size="2">Hi Bruce.<div><br></div><div>Didn't catch that in the announcement.</div><div>Thanks for clearing out the confusion.</div><div><br></div><div>Best regards,</div><div>Mads</div><div></div></font>

← Back to Topics