Re: location of md5 files ...

Yes.

Ideally, we should serve up the MD5s from an SSL enabled webserver.
Something to think about for the future.

//Magnus


On Mon, Dec 14, 2009 at 20:23, Josh Berkus <josh@postgresql.org> wrote:
> WWW team,
>
> Does Otto have a point?
>
> --Josh
>
> -------- Original Message --------
> Subject: RE: PostgreSQL 2009-12-14 Security Update
> Date: Mon, 14 Dec 2009 12:13:55 -0800
> From: Otto Hirr <otto.hirr@olabinc.com>
> Reply-To: <otto.hirr@olabinc.com>
> To: 'Josh Berkus' <josh@postgresql.org>
>
> Josh,
>
> Something I've thought about for a long time....
>
> Why does one have to go to a "mirror" to get a md5 checksum file.
> From a "security" perspective, these checksums should simply be
> listed on the "main" / "authoritative" website, and maybe also
> available for download from a mirror.
>
> What is to say that a "bad" mirror, changes both the file and
> the md5 file.... then you have badness... that can not be easily
> discovered.
>
> Regards,
>
> ..Otto
>
>
>
>> -----Original Message-----
>> From: pgsql-announce-owner@postgresql.org
>> [mailto:pgsql-announce-owner@postgresql.org]On Behalf Of Josh Berkus
>> Sent: Monday, December 14, 2009 8:27 AM
>> To: pgsql-announce@postgresql.org
>> Subject: PostgreSQL 2009-12-14 Security Update
>>
>>
>> The PostgreSQL Project today released minor versions updating
>> all active
>> branches of the PostgreSQL object-relational database system,
>> including
>> versions 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, and 7.4.27.
>> This release
>> fixes one moderate-risk and one low-risk security issue: an SSL
>> authentication issue, and a privilege escalation issue with expression
>> indexes.  All PostgreSQL database administrators are urged to update
>> your version of PostgreSQL at the earliest opportunity.
>>
>> There are also 48 other bug fixes in this release, many of which apply
>> only to version 8.4, and a few of which are specifically for Windows.
>> While these are generally fixes for minor issues, among the
>> changes are:
>>
>> * Prevent hash index corruption
>> * Update time zone data for 9 regions
>> * Fix permissions-related startup issue on Windows
>> * Prevent server restart if a VACUUM FULL is killed
>> * Correct cache initialization startup bug
>>
>> See the release notes for a full list of changes with details.
>>
>> As with other minor releases, users are not required to dump
>> and reload
>> their database in order to apply this update release; you may simply
>> shut down PostgreSQL and update its binaries.  However, users who have
>> hash indexes will want to run REINDEX after updating in order
>> to repair
>> any existing index damage.  Users skipping more than one
>> update may need
>> to check the release notes for extra, post-update steps.
>>
>> * Release Notes:
>>   http://www.postgresql.org/docs/current/static/release.html
>> * Installation Packages: http://www.postgresql.org/download/
>> * Source Code: http://www.postgresql.org/ftp/source/
>> * Details of Security Issues:
> http://www.postgresql.org/support/security
>
> The PosgreSQL Global Development Group will stop releasing updates for
> PostgreSQL versions 7.4 and 8.0 after July of 2010.  We urge users of
> those versions to start planning to upgrade now.
>
> ---------------------------(end of broadcast)---------------------------
> -To unsubscribe from this list, send an email to:
>
>               pgsql-announce-unsubscribe@postgresql.org
>
>
>
> --
> Sent via pgsql-www mailing list (pgsql-www@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-www
>



-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/