Обсуждение: Postgresql packages in Solaris

All,

I received this question from a customer yesterday (below), and unfortunately I do not have the answer.  Please let us know if you know the answer, it would be greatly appreciated...
 
"What we are trying to figure out is if removing the packages SUNWpostgr-83-devel, SUNWpostgr-83-pl, SUNWpostgr-devel, SUNWpostgr-pl will cause any harm to our systems. For example, in the PDF that you sent yesterday, it states that package SUNWpostgr-pl is part of the core server package. 

I am not sure as to what the core server package is, but when you try to remove those packages from prodreg it gives about 2 or 3 warnings on the performing the action. 

Just to be on the cautious side, we want to verify that removing those packages will not have any negative impact on our systems. The reasons behind wanting to perform these actions are CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447."


Thank You,
Paul

Paul Baker wrote:
> All,
>
> I received this question from a customer yesterday (below), and unfortunately I do not have the answer.  Please let
usknow if you know the answer, it would be greatly appreciated... 
>
> "What we are trying to figure out is if removing the packages SUNWpostgr-83-devel, SUNWpostgr-83-pl,
SUNWpostgr-devel,SUNWpostgr-pl will cause any harm to our systems. For example, in the PDF that you sent yesterday, it
statesthat package SUNWpostgr-pl is part of the core server package.  
>
> I am not sure as to what the core server package is, but when you try to remove those packages from prodreg it gives
about2 or 3 warnings on the performing the action.  
>
> Just to be on the cautious side, we want to verify that removing those packages will not have any negative impact on
oursystems. The reasons behind wanting to perform these actions are CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447." 
>

if the customer is using a Solaris supplied version of PostgreSQL,
removing it would cause them a significant amount of grief.   If they
aren't, AFAIK, nothing else built into Solaris uses it.   If they aren't
using Postgres, and they haven't enabled and configured the service,
those CVE's wouldn't matter.   Even if the customer is using Postgres,
if they don't give untrusted users direct database access, those CVE's
have zero impact.

It appears (using the public Sunsolve patchfinder) that the newest
version of PostgreSQL 8.3 that Sun has a patch for is 8.3.9 (138826-06
or 138827-06),  while 8.3.11 has been out for about a month now, and
fixes these CVEs.



(note, I'm just a random subscriber to the pgsql-general email list who
happens to occasionally use Solaris. and even runs PostgreSQL on it, so
i speak for noone official)

On Thu, Jun 10, 2010 at 9:46 AM, Paul Baker <paul.r.baker@oracle.com> wrote:
>
> All,
>
> I received this question from a customer yesterday (below), and unfortunately I do not have the answer.  Please let
usknow if you know the answer, it would be greatly appreciated... 
>
> "What we are trying to figure out is if removing the packages SUNWpostgr-83-devel, SUNWpostgr-83-pl,
SUNWpostgr-devel,SUNWpostgr-pl will cause any harm to our systems. For example, in the PDF that you sent yesterday, it
statesthat package SUNWpostgr-pl is part of the core server package. 
>
> I am not sure as to what the core server package is, but when you try to remove those packages from prodreg it gives
about2 or 3 warnings on the performing the action. 
>
> Just to be on the cautious side, we want to verify that removing those packages will not have any negative impact on
oursystems. The reasons behind wanting to perform these actions are CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447." 

1: Do you use pl/perl and pl/tcl? (these only affect them)
2: Is there not an updated pgsql 83 package for solaris yet to fix this?

On Thu, Jun 10, 2010 at 2:35 PM, John R Pierce <pierce@hogranch.com> wrote:
> It appears (using the public Sunsolve patchfinder) that the newest version
> of PostgreSQL 8.3 that Sun has a patch for is 8.3.9 (138826-06 or
> 138827-06),  while 8.3.11 has been out for about a month now, and fixes
> these CVEs.

Note that up to date binaries are provided on the postgresql.org site:

http://www.postgresql.org/ftp/binary/

Scott Marlowe wrote:
> On Thu, Jun 10, 2010 at 2:35 PM, John R Pierce <pierce@hogranch.com> wrote:
>
>> It appears (using the public Sunsolve patchfinder) that the newest version
>> of PostgreSQL 8.3 that Sun has a patch for is 8.3.9 (138826-06 or
>> 138827-06),  while 8.3.11 has been out for about a month now, and fixes
>> these CVEs.
>>
>
> Note that up to date binaries are provided on the postgresql.org site:
>
> http://www.postgresql.org/ftp/binary/
>
>

I'm not sure they are a drop-in replacement/update for the
Sun-err-Oracle packages, however.   For one thing, they didn't provide
the SMF service manifests last time I looked.

On Thu, Jun 10, 2010 at 3:29 PM, John R Pierce <pierce@hogranch.com> wrote:
> Scott Marlowe wrote:
>>
>> On Thu, Jun 10, 2010 at 2:35 PM, John R Pierce <pierce@hogranch.com>
>> wrote:
>>
>>>
>>> It appears (using the public Sunsolve patchfinder) that the newest
>>> version
>>> of PostgreSQL 8.3 that Sun has a patch for is 8.3.9 (138826-06 or
>>> 138827-06),  while 8.3.11 has been out for about a month now, and fixes
>>> these CVEs.
>>>
>>
>> Note that up to date binaries are provided on the postgresql.org site:
>>
>> http://www.postgresql.org/ftp/binary/
>>
>>
>
> I'm not sure they are a drop-in replacement/update for the Sun-err-Oracle
> packages, however.   For one thing, they didn't provide the SMF service
> manifests last time I looked.

That's a shame.  Not as big a shame as Oracle / Sun not being able to
provide timely updates (ahem) but still a shame.