Re: location of md5 files ...
От | Magnus Hagander |
---|---|
Тема | Re: location of md5 files ... |
Дата | |
Msg-id | 9837222c0912141159p1458ec10q57afd2834189a414@mail.gmail.com обсуждение исходный текст |
Ответ на | location of md5 files ... (Josh Berkus <josh@postgresql.org>) |
Ответы |
Re: location of md5 files ...
|
Список | pgsql-www |
Yes. Ideally, we should serve up the MD5s from an SSL enabled webserver. Something to think about for the future. //Magnus On Mon, Dec 14, 2009 at 20:23, Josh Berkus <josh@postgresql.org> wrote: > WWW team, > > Does Otto have a point? > > --Josh > > -------- Original Message -------- > Subject: RE: PostgreSQL 2009-12-14 Security Update > Date: Mon, 14 Dec 2009 12:13:55 -0800 > From: Otto Hirr <otto.hirr@olabinc.com> > Reply-To: <otto.hirr@olabinc.com> > To: 'Josh Berkus' <josh@postgresql.org> > > Josh, > > Something I've thought about for a long time.... > > Why does one have to go to a "mirror" to get a md5 checksum file. > From a "security" perspective, these checksums should simply be > listed on the "main" / "authoritative" website, and maybe also > available for download from a mirror. > > What is to say that a "bad" mirror, changes both the file and > the md5 file.... then you have badness... that can not be easily > discovered. > > Regards, > > ..Otto > > > >> -----Original Message----- >> From: pgsql-announce-owner@postgresql.org >> [mailto:pgsql-announce-owner@postgresql.org]On Behalf Of Josh Berkus >> Sent: Monday, December 14, 2009 8:27 AM >> To: pgsql-announce@postgresql.org >> Subject: PostgreSQL 2009-12-14 Security Update >> >> >> The PostgreSQL Project today released minor versions updating >> all active >> branches of the PostgreSQL object-relational database system, >> including >> versions 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, and 7.4.27. >> This release >> fixes one moderate-risk and one low-risk security issue: an SSL >> authentication issue, and a privilege escalation issue with expression >> indexes. All PostgreSQL database administrators are urged to update >> your version of PostgreSQL at the earliest opportunity. >> >> There are also 48 other bug fixes in this release, many of which apply >> only to version 8.4, and a few of which are specifically for Windows. >> While these are generally fixes for minor issues, among the >> changes are: >> >> * Prevent hash index corruption >> * Update time zone data for 9 regions >> * Fix permissions-related startup issue on Windows >> * Prevent server restart if a VACUUM FULL is killed >> * Correct cache initialization startup bug >> >> See the release notes for a full list of changes with details. >> >> As with other minor releases, users are not required to dump >> and reload >> their database in order to apply this update release; you may simply >> shut down PostgreSQL and update its binaries. However, users who have >> hash indexes will want to run REINDEX after updating in order >> to repair >> any existing index damage. Users skipping more than one >> update may need >> to check the release notes for extra, post-update steps. >> >> * Release Notes: >> http://www.postgresql.org/docs/current/static/release.html >> * Installation Packages: http://www.postgresql.org/download/ >> * Source Code: http://www.postgresql.org/ftp/source/ >> * Details of Security Issues: > http://www.postgresql.org/support/security > > The PosgreSQL Global Development Group will stop releasing updates for > PostgreSQL versions 7.4 and 8.0 after July of 2010. We urge users of > those versions to start planning to upgrade now. > > ---------------------------(end of broadcast)--------------------------- > -To unsubscribe from this list, send an email to: > > pgsql-announce-unsubscribe@postgresql.org > > > > -- > Sent via pgsql-www mailing list (pgsql-www@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-www > -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
В списке pgsql-www по дате отправления: