Обсуждение: [Bug] Server Crash, possible security exploit, where to send security report?
[Bug] Server Crash, possible security exploit, where to send security report?
От
"Francisco Figueiredo Jr."
Дата:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, while playing with Npgsql I faced an strange behavior of Postgresql server. I have all the details of it and I thought it could be a severe security exploit, so I don't send it in clear to this mailing list directly as, I think, anybody with this information could Dos postgresql servers. Please, send me information to where/who I should send the details in order this can be fixed as soon as possible. This is the log I get when I receive the problem. I think that as server is killing all processes, any client which can do that can kill all client connections to that server. That's why I think it is very dangerous. DEBUG: server process (PID 2874) was terminated by signal 11 LOG: server process (PID 2874) was terminated by signal 11 LOG: terminating any other active server processes DEBUG: sending SIGQUIT to process 2111 DEBUG: sending SIGQUIT to process 2112 LOG: all server processes terminated; reinitializing LOG: database system was interrupted at 2005-12-12 17:54:12 BRST LOG: checkpoint record is at 0/38E290 LOG: redo record is at 0/38E290; undo record is at 0/0; shutdown TRUE LOG: next transaction ID: 619; next OID: 24576 LOG: next MultiXactId: 1; next MultiXactOffset: 0 LOG: database system was not properly shut down; automatic recovery in progress LOG: record with zero length at 0/38E2D4 LOG: redo is not required LOG: database system is ready LOG: transaction ID wrap limit is 2147484148, limited by database "postgres" - -- Regards, Francisco Figueiredo Jr. Npgsql Lead Developer http://www.pgfoundry.org/projects/npgsql MonoBrasil Project Founder Member http://monobrasil.softwarelivre.org - ------------- "Science without religion is lame; religion without science is blind." ~ Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBQ53c8f7iFmsNzeXfAQIIhgf9ENy4JADnkmkTzvegHtLjOxv9Qc7Tc5nr z3uHOS3cV+I/0x6iu+DFu27uioCZV+/n8kuhNCE7r7q5kfIXu/NFRF2sULacH2bf qT1oeL9IxB1DH/MStPADZAXNaDqvuKBOacACHjjisOFalOBFuymjpVMI+idsKptK gmZT3I3qrsTvkGjPCnsSML7vHerJKXSkhew1yPLzg/V0qx+S36q0A6aR0pUNAnLV Js6k2bmTEZSljt7BXIR9ISrw2CA4UG71C/njGt+RFX8P1d0aXrMG5zClAd42aKsB Gy4A4CBbNHCiP8BuSd01VIdzyZbbvMI9qkP/4/7Gdaym3MbAN0UMzQ== =A0iI -----END PGP SIGNATURE----- _______________________________________________________ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html
Re: [Bug] Server Crash, possible security exploit, where to send security report?
От
Martijn van Oosterhout
Дата:
On Mon, Dec 12, 2005 at 06:26:25PM -0200, Francisco Figueiredo Jr. wrote: > > > > Hi all, > > while playing with Npgsql I faced an > strange behavior of Postgresql server. > > > I have all the details of it and I thought it could be a severe security > exploit, so I don't send it in clear to this mailing list directly as, I > think, anybody with this information could Dos postgresql servers. Well, you're not giving any details but if you can cause the server to dump core in a standard installation, we're interested. You didn't specify your version BTW. Here has instructions, including for security related stuff: http://www.postgresql.org/docs/current/static/bug-reporting.html Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martijn van Oosterhout wrote: > On Mon, Dec 12, 2005 at 06:26:25PM -0200, Francisco Figueiredo Jr. wrote: > > Well, you're not giving any details but if you can cause the server to > dump core in a standard installation, we're interested. You didn't > specify your version BTW. > Hi Martijn. Sorry for giving so little information. I was afraid that any other info I could say here could be used later. I just sent the message as specified in bug writing. I should have searched the manual before posting here :) Thanks for info. The postgresql version I first saw this problem was 8.0.3. I downloaded and tested it with 8.1.0 and it also showed the problem. > Here has instructions, including for security related stuff: > http://www.postgresql.org/docs/current/static/bug-reporting.html > > Have a nice day, Thank you very much Martijn. - -- Regards, Francisco Figueiredo Jr. Npgsql Lead Developer http://www.pgfoundry.org/projects/npgsql MonoBrasil Project Founder Member http://monobrasil.softwarelivre.org - ------------- "Science without religion is lame; religion without science is blind." ~ Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBQ577Mf7iFmsNzeXfAQJoCAgAm0B/ZkQK5ujvMrjdKEThLB7dEaC+39Vi +edJvz+/czkfEbFnochgSR3p0j2W2A742RBXtRiVwB0zS35lEAjeouEaOIte73JB j3h/qSOaJEerCKaaKx3DGEhf7iHlQQHQLv+hOoDdZNU9sP/ohwV2x/RU0K+XhDxD vVpWn4SjDrZzmnV4Kn1FWlxNQ3BqJCjjXSIkNYtTuyJdg8T/wLFp63/RMMl0QfpT 2LYPuAb57MPNht0saPXb2T7zolJNKOQJQ08kTBQ3skdh/dbN2k350LnXbcGfs7hg itC1wlFhkHAZEbFOqLI+dYa6+vfHFtPS7YJSDp8v4kCpQXmkAZrqjQ== =xbU7 -----END PGP SIGNATURE----- _______________________________________________________ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html
> > Hi all, > > while playing with Npgsql I faced an > strange behavior of Postgresql server. > > > I have all the details of it and I thought it could be a severe security > exploit, so I don't send it in clear to this mailing list directly as, I > think, anybody with this information could Dos postgresql servers. > > > Please, send me information to where/who I should send the details in > order this can be fixed as soon as possible. > > http://www.postgresql.org/support/security.html -- regards, Jaime Casanova (DBA: DataBase Aniquilator ;)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martijn van Oosterhout wrote: > On Mon, Dec 12, 2005 at 06:26:25PM -0200, Francisco Figueiredo Jr. wrote: >> >> Hi all, Yesterday I received a reply from Tom Lane who confirmed the bug and promptly replied me with a patch!! :) Thank you very much all for helping me with that. - -- Regards, Francisco Figueiredo Jr. Npgsql Lead Developer http://www.pgfoundry.org/projects/npgsql MonoBrasil Project Founder Member http://monobrasil.softwarelivre.org - ------------- "Science without religion is lame; religion without science is blind." ~ Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEUAwUBQ6BKlv7iFmsNzeXfAQLDbQf2O3pVPbVSCLVVBBKn2rOpx5hhDBVcqC3B LhuPJ5hIPAoxT4MPWfunOCIWYWw3NkK8eXDY55SI8xTIh84KSealcJVQpdDUAte0 tx6u4k/DqgODO/oXKxM73L90PBZdv7Z9rk+kz40CesATs2hngrPjgMFL7Msga7G8 uTjQNVXMMmONw9xkTnw38RKvJRtcHlZGtCH2WyE1OU/IzFLNPpJdd5TUcd1E3NMy ZRw/CQLtsXYnOplY1ueIyFCC1iWmQa2jHe65nAP564YPQjvUIpIfkNZzx6Lqu3MW FSxkF4hIaXHHdrzBJjiTsfpSIhGeTVNkoTYNEM1B1pOFTPrL1QoZ =/lxZ -----END PGP SIGNATURE----- _______________________________________________________ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html